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Preface 



The Department of Homeland Security (DHS) Office of Inspector General (OIG) was established by 
the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector General 
Act of 1978. This is one of a series of audit, inspection, and special reports prepared as part of our 
oversight responsibilities to promote economy, efficiency, and effectiveness within the department. 

The attached report presents financial information excerpted from DHS' Annual Financial Report 
(AFR) and the results of the DHS financial statement audits for fiscal year (FY) 2008 and FY 2007. 
We contracted with the independent public accounting firm KPMG LLP (KPMG) to perform the 
audits. The contract required that KPMG perform its audits according to generally accepted 
government auditing standards and guidance from the Office of Management and Budget and the 
Government Accountability Office. KPMG was unable to provide an opinion on DHS' balance 
sheet as of September 30, 2008 and 2007. The FY 2008 auditor's report discusses nine significant 
deficiencies, six of which are considered material weaknesses in internal control, and eight instances 
of noncompliance with laws and regulations. KPMG is responsible for the attached auditor's report 
dated November 14, 2008, and the conclusions expressed in the report. We do not express opinions 
on DHS' financial statements or internal control or conclusions on compliance with laws and 
regulations. 

The recommendations herein have been discussed in draft with those responsible for 
implementation. It is our hope that this report will result in more effective, efficient, and economical 
operations. We express our appreciation to all of those who contributed to the preparation of this 
report. 




Richard L. Skinner 
Inspector General 



U.S. DEPARTMENT OF HOMELAND SECURITY 

Excerpts from the DHS Annual Financial Report 
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MEMORANDUM FOR: 



The Honorable Michael Chertoff 
Secretary 





FROM: 



Richard L. Skinner 
Inspector General 



SUBJECT: 



Independent Auditors' Report on DHS' FY 2008 Balance Sheet and 
Statement of Custodial Activity 



The attached report presents the results of the Department of Homeland Security's (DHS or 
department) financial statement audits for fiscal year (FY) 2008 and FY 2007. These are mandatory 
audits required by the Chief Financial Officers Act of 1990 as amended by Department of Homeland 
Security Financial Accountability Act of 2004. This report is incorporated into the department's FY 
2008 Annual Financial Report. We contracted with the independent public accounting firm KPMG 
LLP (KPMG) to perform the audits. 

Generally the mission action plans for DHS' components showed results of continued improvement 
in financial reporting during FY 2008, although overall the department still has much work 
remaining. For the fifth year, KPMG was unable to provide an opinion on the department's balance 
sheet; although elements and conditions of prior year weaknesses have been corrected, except for the 
improvement in Entity-Level Controls, the material weakness conditions at the department exist in 
many of the same processes as in prior years. 



KPMG was unable to express an opinion on the department's balance sheets as of September 30, 
2008 and 2007, and the related statements of custodial activity for the years then ended, because 
DHS was unable to represent that certain financial statement balances were correct, and was unable 
to provide sufficient evidence to support its financial statements. In connection with the audits, 
KPMG also considered DHS' internal controls over financial reporting and compliance with certain 
provisions of laws and regulations. As a result, the FY 2008 Independent Auditors' Report discusses 
six significant deficiencies considered to be material weaknesses, three other significant deficiencies 
in internal control, and eight instances of non-compliance with laws and regulations, as follows: 



Summary 



Significant Deficiencies That Are Considered To Be Material Weaknesses 

A. Financial Reporting 

B. Financial Systems General and Application Controls 

C. Fund Balance with Treasury 

D. Capital Assets and Supplies 

E. Actuarial and Other Liabilities 

F. Budgetary Accounting 



J. Federal Managers ' Financial Integrity Act of 1982 (FMFIA) 

K. Federal Financial Management Improvement Act of 1996 (FFMIA) 

L. Single Audit Act Amendments of 1996, and laws and regulations supporting OMB Circular 

No. A-50, Audit Follow-up, as revised 
M. Improper Payments Information Act of 2002 (IPIA) 
N. Chief Financial Officers Act of 1990 
O. Government Performance and Results Act of 1993 (GPRA) 
P. Debt Collection Improvement Act of 1996 (DCIA) 
Q. Anti-deficiency Act 

Moving DHS' Financial Management Forward 

While the auditors noted improvement toward correction of internal control weaknesses, the 
department was unable to represent that its financial statements as of, and for the year ended, 
September 30, 2008, were presented in conformity with U.S. generally accepted accounting 
principles. The U.S. Coast Guard (USCG), Transportation Security Administration (TSA), and the 
Federal Emergency Management Agency (FEMA), were unable to provide sufficient evidence to 
support account balances presented in the financial statements and collectively contributed to the 
auditors' inability to render an opinion. 

Since last year, the department was able to reduce the number of conditions leading to the 
independent auditors disclaimer of opinion on DHS' financial statements from six to three. As a 
result, OFM and the Office of Health Affairs (OHA) no longer contribute to the disclaimer 
conditions and FEMA remediated all its prior year disclaimer conditions. However, during the FY 
2008 audit new disclaimer conditions were identified at TSA and FEMA. TSA was unable to assert 
that its capital asset balances are fairly stated and FEMA was unable to assert that its capital asset 
balances, related to internal use software, are fairly stated respectively, at September 30, 2008. 



Other Significant Deficiencies 



G. 
H. 
I. 



Entity-Level Controls 

Custodial Revenue and Drawback 

Deferred Revenue 



Non-compliance with Laws and Regulations 
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The Coast Guard began FY 2008 with a focus on Entity-Level Controls, and the military portion of 
the fund balance with Treasury. During FY 2008, Coast Guard made initial steps toward 
improvements to procedural, control, and personnel by chartering the Senior Management Council 
(SMC) and revising its Financial Strategy for Transformation and Audit Readiness (FSTAR). To 
update FSTAR, Coast Guard performed an in-depth root cause analysis that identified seventeen 
areas for improvement. However, the Coast Guard was unable to fully remediate prior year control 
weaknesses, and the auditors again reported that the Coast Guard contributed to all six material 
weaknesses and the Entity-Level Controls significant deficiency. 

Many of the DHS' challenges in financial management and reporting can be attributed to the original 
stand-up of a large, new, and complex executive branch agency without adequate organizational 
expertise in financial management and accounting. The department made modest progress in 
remediating weaknesses during FY 2008 and remains committed to focusing on remediation efforts 
at USCG, FEMA, and TSA, while sustaining progress made throughout FY 2008. During the past 
year, the department and its components continued the extensive effort to develop meaningful 
mission action plans to address specific material internal control weaknesses. We are evaluating the 
effectiveness of those mission action plans in a separate series of audits. 

KPMG is responsible for the attached independent auditor's report dated November 14, 2008, and 
the conclusions expressed in the report. We do not express opinions on financial statements or 
internal control or conclusions on compliance with laws and regulations. 

Consistent with our responsibility under the Inspector General Act, we are providing copies of this 
report to appropriate congressional committees with oversight and appropriation responsibilities over 
the department. In addition, we will post a copy of the report on our public website. 

We request that each of the department's chief financial officers provide us with a corrective action 
plan that demonstrates progress in addressing the report's recommendations. 

We appreciate the cooperation extended to the auditors by the department's financial offices. 
Should you have any questions, please call me, or your staff may contact Anne Richards, Assistant 
Inspector General for Audits, at 202-254-4100. 

Attachment 
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KPMG LLP 

2001 M Street, NW 
Washington, DC 20036 



INDEPENDENT AUDITORS' REPORT 



Secretary and Inspector General 

U.S. Department of Homeland Security: 

We were engaged to audit the accompanying balance sheets of the U.S. Department of Homeland Security (DHS 
or Department) as of September 30, 2008 and 2007, and the related statements of custodial activity for the years 
then ended (referred to herein as "financial statements"). In connection with our fiscal year (FY) 2008 audit, we 
also considered DHS' internal controls over financial reporting, and DHS' compliance with certain provisions of 
applicable laws, regulations, contracts, and grant agreements that could have a direct and material effect on these 
financial statements. We were not engaged to audit the accompanying statements of net cost, changes in net 
position, and budgetary resources, for the years ended September 30, 2008 and 2007 (referred to herein as "other 
FY 2008 and 2007 financial statements"). 

Summary 

As discussed in our report on the financial statements, the scope of our work was not sufficient to express an 
opinion on the DHS balance sheets as of September 30, 2008 and 2007, or the related statements of custodial 
activity for the years then ended. 

As discussed in Note l.X to the financial statements, in FY 2008, DHS changed its method of accounting for a 
budgetary allocation transfer made by the Office of Health Affairs (OHA), a DHS component, to another Federal 
agency. 

Our consideration of internal control over financial reporting resulted in the following conditions being identified 
as significant deficiencies: 



A. 


Financial Reporting 


B. 


Information Technology General and Application Controls 


C. 


Fund Balance with Treasury 


D. 


Capital Assets and Supplies 


E. 


Actuarial and Other Liabilities 


F. 


Budgetary Accounting 


G. 


Entity Level Controls 


H. 


Custodial Revenue and Drawback 


I. 


Deferred Revenue 



We consider significant deficiencies A through F, above, to be material weaknesses. 

The results of our tests of compliance with certain provisions of laws, regulations, contracts, and grant agreements 
disclosed the following instances of noncompliance or other matters that are required to be reported under 
Government Auditing Standards, issued by the Comptroller General of the United States, and Office of 
Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements: 

J. Federal Managers ' Financial Integrity Act of 1982 (FMFIA) 

K. Federal Financial Management Improvement Act of 1996 (FFMIA) 

L. Single Audit Act Amendments of 1996, and Laws and Regulations Supporting OMB Circular No. A-50, 

Audit Follow-up, as revised 

M. Improper Payments Information Act of 2002 

N. Chief Financial Officers Act of 1990 

O. Government Performance and Results Act of 1993 

P. Debt Collection Improvement Act of 1996 

Q. Anti-deficiency Act 



We also reported other matters related to compliance with the Anti-deficiency Act at the National Protection and 
Programs Directorate (NPPD), Federal Emergency Management Agency (FEMA), U.S. Coast Guard (USCG) and 
Federal Law Enforcement Training Center (FLETC). 

Other internal control matters and other instances of non-compliance may have been identified and reported had 
we been able to perform all procedures necessary to express an opinion on the DHS balance sheets as of 
September 30, 2008 and 2007, and the related statements of custodial activity for the years then ended, and had 
we been engaged to audit the other fiscal year 2008 and 2007 financial statements. 

The following sections discuss the reasons why we are unable to express an opinion on the accompanying DHS 
balance sheets as of September 30, 2008 and 2007, and on the statements of custodial activity for the years then 
ended; our consideration of DHS' internal control over financial reporting; our tests of DHS' compliance with 
certain provisions of applicable laws, regulations, contracts, and grant agreements and other matters; and 
management's and our responsibilities. 

Report on the Financial Statements 

We were engaged to audit the accompanying balance sheets of the U.S. Department of Homeland Security as of 
September 30, 2008 and 2007, and the related statements of custodial activity for the years then ended. We were 
not engaged to audit the accompanying statements of net cost, changes in net position, and budgetary resources 
for the years ended September 30, 2008 and 2007. 

The United States Coast Guard (Coast Guard) was unable to provide sufficient evidential matter or make 
knowledgeable representations of facts and circumstances, that support transactions and account balances of the 
Coast Guard, as presented in the DHS balance sheets at September 30, 2008 and 2007; particularly with respect to 
fund balance with Treasury, accounts receivable, inventory and related property, certain categories of property, 
plant and equipment, actuarially-derived liabilities, environmental and other liabilities, undelivered orders and 
changes in net position, and adjustments, both manual and automated, made as part of Coast Guard's financial 
reporting process. The Coast Guard was unable to complete corrective actions and make adjustments, as 
necessary, to these and other balance sheet amounts, prior to the completion of the DHS FY 2008 Annual 
Financial Report (AFR). Because of the significance of these account balances and/or transactions and conditions 
noted above, DHS and Coast Guard management were unable to represent that the Coast Guard's balance sheets 
as of September 30, 2008 and 2007, were fairly stated in conformity with U.S. generally accepted accounting 
principles. The total assets of Coast Guard, as reported in the accompanying DHS balance sheet, were $17.4 
billion and $15.9 billion, or 20 percent of total DHS consolidated assets in both years, as of September 30, 2008 
and 2007, respectively. 

The Transportation Security Administration (TSA) was unable to fully support the accuracy and completeness of 
certain capital asset balances and related effects on net position, if any, prior to the completion of the DHS FY 
2008 AFR. The TSA capital assets as reported in the accompanying DHS balance sheet as of September 30, 
2008, were $932 million or six percent of DHS' consolidated property, plant and equipment. 

FEMA was unable to fully support the accuracy and completeness of certain capital assets balances related to 
internal use software, and related effects on net position, if any, prior to the completion of the DHS FY 2008 
AFR. The FEMA capital assets related to internal use software, net as reported in the accompanying DHS 
balance sheet as of September 30, 2008 were $22 million or 0.2 percent of DHS' consolidated property, plant and 
equipment, net. In FY 2007, FEMA was unable to fully support the accuracy and completeness of certain 
stockpiled supplies, unpaid obligations related to mission assignments, and certain grants payable/advances, and 
the related effects on net position, if any, prior to the completion of the DHS FY 2007 AFR. The stockpiled 
supplies, as reported in the accompanying DHS balance sheet as of September 30, 2007, were $243 million or 38 
percent of DHS' consolidated inventory and related property. FEMA's unpaid obligations related to mission 
assignments, as reported in the accompanying DHS balance sheet as of September 30, 2007, were $2.6 billion or 
five percent of DHS' consolidated unexpended appropriations. FEMA's net grants payable/advances, as reported 
in the DHS balance sheet as of September 30, 2007, were $149 million or three percent of DHS' consolidated 
accounts payable. The total net position of FEMA as reported in the accompanying DHS balance sheet as of 
September 30, 2007, was $10.1 billion or 13 percent of DHS' consolidated liabilities and net position. 

In FY 2007, DHS Office of Financial Management (OFM) and certain DHS components were unable to reconcile 
intragovernmental transactions and balances with other Federal trading partners totaling approximately $1.5 
billion as of September 30, 2007, prior to the completion of the DHS FY 2007 AFR. 
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In FY 2007, the DHS Office of Health Affairs (OHA) was unable to provide sufficient evidential matter to 
support its recording of $1.5 billion in both fund balance with Treasury and undelivered orders at September 30, 
2007, resulting from a budgetary allocation transfer made by OHA to another Federal agency in FY 2007. 
Because of the significance of this allocation transfer, DHS management was unable to represent that the balance 
sheet of OHA was fairly stated in conformity with U.S. generally accepted accounting principles at September 30, 
2007. The total assets of OHA, as reported in the accompanying DHS balance sheet as of September 30, 2007, 
were $3.3 billion or four percent of total DHS consolidated assets. 

In addition, we were unable to obtain certain representations from DHS management regarding the matters 
described above, including representations as to compliance with U.S. generally accepted accounting principles, 
with respect to the accompanying DHS balance sheets and related statements of custodial activity as of and for the 
years ended September 30, 2008 and 2007, and were unable to determine the effect of the lack of such 
representations on the FY 2008 and 2007 DHS financial statements. 

It was impractical to extend our procedures sufficiently to determine the extent, if any, to which the DHS balance 
sheets as of September 30, 2008 and 2007, and the related statements of custodial activity for the years then 
ended, may have been affected by the matters discussed in the six preceding paragraphs. Accordingly, the scope 
of our work was not sufficient to enable us to express, and we do not express, an opinion on these financial 
statements and the related notes thereto. 

We were not engaged to audit the accompanying statements of net cost, changes in net position, and budgetary 
resources for the years ended September 30, 2008 and 2007, and accordingly, we do not express an opinion on 
these financial statements. 

As discussed in Note 33, DHS restated its FY 2007 financial statements to correct multiple errors identified by 
TSA, Coast Guard, OHA, and FLETC, that required adjustment of balances previously reported in DHS' FY 2007 
financial statements. Because of the matters discussed in the second paragraph above regarding our FY 2008 audit 
at Coast Guard, and the control deficiencies described in our report on internal control over financial reporting, we 
were unable to audit the restatements identified by Coast Guard, and accordingly, we have not concluded on the 
appropriateness of this accounting treatment or the restatement of the DHS balance sheet as of September 30, 2007. 

As discussed in Note l.X to the financial statements, in FY 2008, DHS changed its method of accounting for a 
budgetary allocation transfer made by the OHA to another Federal agency that required adjustment of balances 
previously reported in DHS' FY 2007 financial statements. 

The information in the Management's Discussion and Analysis (MD&A), RSSI, and Required Supplementary 
Information (RSI) sections of the DHS AFR is not a required part of the financial statements, but is supplementary 
information required by U.S. generally accepted accounting principles. We were unable to complete limited 
procedures over MD&A, RSSI, and RSI as prescribed by professional standards because of the limitations on the 
scope of our audit described in the previous paragraphs of this section of our report. Certain information presented 
in the MD&A, RSSI, and RSI is based on FY 2008 and 2007 financial statements on which we have not expressed 
an opinion. We did not audit the MD&A, RSSI, and RSI, and accordingly, we express no opinion on it. 

The information in Other Accompanying Information of DHS' FY 2008 AFR is presented for purposes of 
additional analysis, and is not a required part of the financial statements. This information has not been subjected 
to auditing procedures, and accordingly, we express no opinion on it. 

Internal Control over Financial Reporting 

Our consideration of the internal control over financial reporting was for the limited purpose described in the 
Responsibilities section of this report and would not necessarily identify all deficiencies in the internal control 
over financial reporting that might be significant deficiencies or material weaknesses. 

A control deficiency exists when the design or operation of a control does not allow management or employees, in 
the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A 
significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects DHS' 
ability to initiate, authorize, record, process, or report financial data reliably in accordance with U.S. generally 
accepted accounting principles such that there is more than a remote likelihood that a misstatement of DHS' 
financial statements that is more than inconsequential will not be prevented or detected by DHS' internal control 
over financial reporting. A material weakness is a significant deficiency, or combination of significant 
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deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements 
will not be prevented or detected by DHS' internal control. 

Significant deficiencies in internal control over financial reporting and its operation are described in Exhibits I, II, 
and III. Deficiencies that are considered to be material weaknesses at the Coast Guard, when aggregated with 
deficiencies existing at other components at the consolidated level, are presented in Exhibit I. Deficiencies that 
are considered to be material weaknesses at other DHS components, when aggregated with deficiencies existing at 
the Coast Guard at the consolidated level, are presented in Exhibit II. Exhibit III presents significant deficiencies 
that are not considered to be material weaknesses when aggregated with deficiencies at all components at the 
consolidated level. As discussed in the Report on the Financial Statements section, the scope of our work was not 
sufficient to express an opinion on the balance sheets as of September 30, 2008 and 2007, and the related 
statements of custodial activity for the years then ended, and accordingly, other internal control matters may have 
been identified and reported had we been able to perform all procedures necessary to express an opinion on those 
financial statements, and had we been engaged to audit the other FY 2008 and 2007 financial statements. A 
summary of the status of FY 2007 significant deficiencies is included as Exhibit V. 

We also noted certain additional deficiencies involving internal control over financial reporting and its operation 
that we will report to the management of DHS in a separate letter. 

Compliance and Other Matters 

The results of certain of our tests of compliance as described in the Responsibilities section of this report, 
exclusive of those referred to in the FFMIA, disclosed eight instances of noncompliance or other matters that are 
required to be reported under Government Auditing Standards or OMB Bulletin No. 07-04, and are described in 
Exhibit IV. 

The results of our other tests of compliance as described in the Responsibilities section of this report, exclusive of 
those referred to in FFMIA, disclosed no other instances of noncompliance or other matters that are required to be 
reported under Government Auditing Standards or OMB Bulletin No. 07-04. 

The results of our tests of FFMIA, disclosed instances described in Exhibits I, II and III where DHS' financial 
management systems did not substantially comply with (1) Federal financial management systems requirements, 
(2) applicable Federal accounting standards, and (3) the United States Government Standard General Ledger at 
the transaction level. 

As discussed in our report on the financial statements, the scope of our work was not sufficient to express an opinion 
on the balance sheets as of September 30, 2008 and 2007, and the related statements of custodial activity for the 
years then ended, and accordingly, other instances of noncompliance with laws, regulations, contracts, and grant 
agreements may have been identified and reported, had we been able to perform all procedures necessary to express 
an opinion on those financial statements, and had we been engaged to audit the other FY 2008 and 2007 financial 
statements. In addition, because of the matters discussed in our report on the financial statements, we were unable to 
perform certain tests of compliance over the Prompt Payment Act and Titles 10, 14, 31 (as related to the Anti- 
deficiency Act), and 37 of the United States Code at the Coast Guard. 

Other Matters. NPPD management has continued a review of the classification and use of certain funds that may 
identify a violation of the Anti-deficiency Act, or other violations of appropriations law in FY 2008 or in previous 
years. In addition, NPPD management has initiated a review of certain fees collected for attendance at a DHS 
sponsored annual conference that may identify a violation of the Anti-deficiency Act. FLETC management has 
identified a matter that has been reported as a violation of the Anti-deficiency Act related to the classification of a 
building lease. The Office of Inspector General (OIG) intends to review the classification of two other building 
leases at FLETC that may identify a violation of the Anti-deficiency Act that occurred during previous years. The 
OIG has initiated a review, at FEMA management's request, of certain expenditures occurring in previous years 
that may have violated the Anti-deficiency Act. Coast Guard management has initiated a review of the use of 
certain funds to construct assets in previous years that may identify a violation of the Anti-deficiency Act. 
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Management's Response to Internal Control and Compliance Findings 

DHS management has indicated in a separate letter immediately following this report that it concurs with the 
findings presented in Exhibits I, II, III, and IV of our report. We did not audit DHS' response, and accordingly, 
we express no opinion on it. 

Responsibilities 

Management's Responsibilities. Management is responsible for the financial statements; establishing and 
maintaining effective internal control; and complying with laws, regulations, contracts, grant agreements, and 
other matters applicable to DHS. 

Auditors' Responsibilities. As discussed in the report on the financial statements section, the scope of our work 
was not sufficient to enable us to express, and we do not express, an opinion on the DHS balance sheets as of 
September 30, 2008 and 2007, or on the related statements of custodial activity for the years then ended; and we 
were not engaged to audit the accompanying statements of net cost, changes in net position, and budgetary 
resources for the years ended September 30, 2008 and 2007. 

In connection with our FY 2008 engagement, we considered DHS' internal control over financial reporting by 
obtaining an understanding of DHS' internal control, determining whether internal controls had been placed in 
operation, assessing control risk, and performing tests of controls as a basis for designing our audit procedures. 
We did not test all internal controls relevant to operating objectives as broadly defined by the FMFIA. The 
objective of our engagement was not to express an opinion on the effectiveness of DHS' internal control over 
financial reporting. Accordingly, we do not express an opinion on the effectiveness of DHS' internal control over 
financial reporting. Further, other matters involving internal control over financial reporting may have been 
identified and reported had we been able to perform all procedures necessary to express an opinion on the DHS 
balance sheet as of September 30, 2008, and the related statement of custodial activity for the year then ended, 
and had we been engaged to audit the other FY 2008 financial statements. 

In connection with our FY 2008 engagement, we performed tests of DHS' compliance with certain provisions of 
laws, regulations, contracts, and grant agreements, noncompliance with which could have a direct and material 
effect on the determination of the balance sheet amounts as of September 30, 2008, and the related statement of 
custodial activity for the year then ended, and certain provisions of other laws and regulations specified in OMB 
Bulletin No. 07-04, including the provisions referred to in Section 803(a) of FFMIA. We limited our tests of 
compliance to the provisions described in the preceding sentence, and we did not test compliance with all laws, 
regulations, contracts, and grant agreements applicable to DHS. However, providing an opinion on compliance 
with laws, regulations, contracts, and grant agreements was not an objective of our engagement, and accordingly, 
we do not express such an opinion. In addition, other matters involving compliance with laws, regulations, 
contracts, and grant agreements may have been identified and reported had we been able to perform all procedures 
necessary to express an opinion on the DHS balance sheet as of September 30, 2008, and the related statement of 
custodial activity for the year then ended, and had we been engaged to audit the other FY 2008 financial 
statements. 

Restricted Use 

This report is intended solely for the information and use of DHS management, DHS Office of Inspector General, 
OMB, U.S. Government Accountability Office, and the U.S. Congress, and is not intended to be and should not be 
used by anyone other than these specified parties. 




LCP 



November 14, 2008 
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Independent Auditors' Report 

Introduction to Exhibits on Internal Control and Compliance and Other Matters 



Our report on internal control over financial reporting and compliance and other matters is presented in 
accordance with Government Auditing Standards, issued by the Comptroller General of the United States. 
The internal control weaknesses, and findings related to compliance with certain laws, regulations, 
contracts, and grant agreements presented herein were identified during our engagement to audit the 
Department of Homeland Security (DHS or Department) balance sheet and related statement of custodial 
activity as of and for the year ended September 30, 2008. We were not engaged to audit the Department's 
FY 2008 statements of net cost, changes in net position, and budgetary resources (referred to as other FY 
2008 financial statements). Our findings and the status of prior year findings are presented in five exhibits: 

Exhibit I Significant deficiencies in internal control identified at the Coast Guard. All of the 
significant deficiencies reported in Exhibit I are considered material weaknesses that 
individually, or when combined with other significant deficiencies reported in Exhibit II, 
are considered material weaknesses at the DHS consolidated financial statement level. 

Exhibit II Significant deficiencies in internal control identified at other DHS components (collectively 
referred to as DHS Civilian Components). All of the significant deficiencies reported in 
Exhibit II are considered material weaknesses that individually, or when combined with 
other significant deficiencies reported in Exhibit I, are considered material weaknesses at 
the DHS consolidated financial statement level. 

Exhibit III Significant deficiencies that are not considered a material weakness at the DHS 
consolidated financial statement level. 

Exhibit IV Instances of noncompliance with certain laws, regulations, contracts, and grant agreements 
that are required to be reported under Government Auditing Standards or Office of 
Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal 
Financial Statements. 

Exhibit V The status of our findings reported in FY 2007. 

As stated in our Independent Auditors' Report, our consideration of internal control over financial reporting 
would not necessarily disclose all matters that might be significant deficiencies or instances of 
noncompliance. We were not engaged to audit the other FY 2008 financial statements. In addition, the 
scope of our work was not sufficient to express an opinion on the financial statements that we were 
engaged to audit; consequently, other internal control matters and instances of noncompliance may have 
been identified and reported had we been engaged to audit all of the FY 2008 financial statements, and had 
we been able to perform all procedures necessary to express an opinion on those financial statements. 

The determination of which findings rise to the level of a material weakness is based on an evaluation of 
how all component conditions, considered in aggregate, may affect the DHS balance sheet as of September 
30, 2008, or the related statement of custodial activity for the year then ended. 

We have also performed follow-up procedures on findings identified in previous engagements to audit the 
DHS financial statements. All of the material weaknesses identified and reported in Exhibit I for the Coast 
Guard are repeated from our FY 2006 and FY 2007 report, and include updates for new findings resulting 
from our 2008 audit procedures. To provide trend information for the DHS Civilian Components, Exhibit 
II contains a Trend Table next to the heading of each finding, except Exhibit II-B, IT General and 
Application Controls. The Trend Tables in Exhibit II depict the severity and current status of findings by 
component that has contributed to that finding from 2006 through 2008. A summary of our findings in FY 
2008 and FY 2007 are presented in the Tables below: 

Table 1 Presents a summary of our internal control findings, by component, for FY 2008. 

Table 2 Presents a summary of our internal control findings, by component, for FY 2007. 

We have reported six material weaknesses at the Department level in FY 2008, which is reduced from 
seven reported in FY 2007. As reported in Exhibit III-G, Entity Level Controls, financial management and 
entity level control deficiencies reported as a material weakness in FY 2007 (Table 2, Comments I-A and 
II-A below), are reported as a significant deficiency in FY 2008 (Table 1, Comment III-G). 
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Introduction to Exhibits on Internal Control and Compliance and Other Matters 



TABLE 1 - SUMMARIZED DHS FY 2008 INTERNAL CONTROL FINDINGS 



Comment / Control Deficiency 


DHS 
Consol. 


CG 




DHS HQ 


CBP 


CIS 


FEMA 


FLETC 


ICE 


S&T 


TSA 


US Visit 




Military 




Civilian Components 


Material Weaknesses: 




Exhibit II 


A Financial Reporting 


MW 






C 






MW 








MW 




B IT General and App. Controls 


MW 


MW 




C 


SD 


SD 




SD 


C 




MW 




C Fund Balance with Treasury 


MW 


MW 






















D Capital Assets and Supplies 


MW 


MW 






SD 












MW 


C 


E Actuarial and Other Liabilities 


MW 


MW 












- 


SD 


SD 


C 




F Budgetary Accounting 










SD 












C 





Significant Deficiencies: Exhibit III 



G Entity-Level Controls 

H Custodial Revenue and Drawback 

I Deferred Revenue 


SD 






















SD 






















SD 























TABLE 2 - SUMMARIZED DHS FY 2007 INTERNAL CONTROL FINDINGS 


Comment / Control Deficiency 


DHS 
Consol. 


CG 


DHS HQ 


CBP 


CIS 


FEMA 


FLETC 


ICE 


S&T 


TSA 


US Visit 


Military 


Civilian Components 


Material Weaknesses: 


Exhibit I 


Exhibit II 


A Financial Management and ELC 
B Financial Reporting 
C Financial Systems Security 
D Fund Balance with Treasury 
E Capital Assets and Supplies 
F Actuarial and Other Liabilities 
G Budgetary Accounting 


MW 


MW 








MW 












MW 


MW 


MW 






MW 








SD 




MW 


MW 


SD 


SD 




MW 


SD 


SD 




MW 




MW 


MW 




















MW 


MW 








MW 








SD 


SD 


MW 


MW 








MW 








SD 




MW 


MW 








MW 






| MW 





Significant Deficiencies: Exhibit I 



H Custodial Revenue and Drawback 



SD 



SD 



Corrected in FY 2008 

Material Weakness (individually, or when combined with other components, result in Department level finding) 
Significant Deficiency (SD's in Exhibit II contribute to Department level material weakness) 
Contributing to a significant deficiency 



All components of DHS, as defined in Note 1 A - Reporting Entity, to the financial statements, were included in the 
scope of our engagement to audit the consolidated balance sheet of DHS as of September 30, 2008, and the related 
statement of custodial activity for the year then ended. Accordingly, our audit considered significant account balances 
and transactions of other DHS components not listed above. Control deficiencies identified in other DHS components 
that are not identified in the table above, did not individually, or when combined with other component findings, 
contribute to a significant deficiency at the DHS consolidated financial statement level. 
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I-A Financial Reporting 

Background: In FY 2007, we reported that the Coast Guard had several internal control weaknesses that led 
to a material weakness in financial reporting. In FY 2008, the Coast Guard revised its Financial Strategy 
for Transformation and Audit Readiness (FSTAR). The FSTAR is a comprehensive plan to identify and 
correct the root causes of control deficiencies. However, most of the actions outlined in FSTAR are 
scheduled to occur after FY 2008, and consequently, the Coast Guard was not able to make substantial 
progress in correcting the deficiencies we reported in previous years, and repeated below. 

Conditions: The Coast Guard: 

• Has not developed and implemented an effective general ledger system. The Core Accounting 
System (CAS), Aircraft Logistics Management Information System (ALMIS), and Naval 
Engineering Supply Support System (NESSS) general ledgers do not comply with the 
requirements of the Federal Financial Management Improvement Act (FFMIA), We noted that: 

The general ledgers do not allow for compliance with the United States Standard General 
Ledger (USSGL) at the transaction level. For example, the general ledgers include non- 
compliant account definitions, invalid accounts, improper posting logic codes and inconsistent 
crosswalks to the Coast Guard Treasury Information Executive Repository (TIER) database; 

The CAS general ledger includes static balances related to a legacy general ledger conversion; 

Financial data in the general ledger may be compromised by automated and manual changes 
that are unsubstantiated, through the use of information technology (IT) scripts; 

Financial information submitted to the Department for consolidation is from a database that 
does not maintain detail at the transaction level and is not reconciled or supported by the 
transaction level detail in the Coast Guard's three general ledgers; and 

Topside adjustments necessary to close and report financial activity are not recorded at the 
transaction level in the respective general ledgers. Period-end and opening balances are not 
supported by transactional detail in the three general ledgers. 

• Does not have properly designed, implemented and effective policies, procedures, and controls 
surrounding its financial reporting process, in order to support beginning balances, year-end close- 
out, and the cumulative results of operation analysis. For example, the Coast Guard does not have 
effective policies, procedures and / or internal controls: 

To identify the cause and resolve system-level abnormal balances and account relationship 
discrepancies, e.g., budgetary to proprietary reconciliations, and identified potential errors in 
its financial data; 

Over the process of preparing and reviewing adjustments to account balances and financial 
statement disclosures, and uses high-level analytical comparisons to identify adjusting entries; 

To assess potential financial system problems, such as posting logic errors and automated 
changes to financial data through scripts (system modifications); 

To record, review, and moritor accounts receivable activity; 

To compile, support, review, and report financial statement disclosures submitted for 
incorporation in the DHS financial statements, to include the effective completion of the U.S. 
Government Accountability Office (GAO) Disclosure Checklist and valid support for the 
preparation of statement of net cost disclosures; and 

To track and reconcile intragovernmental transactions with its Federal trading partners, 
especially those outside DHS, and to determine that Coast Guard intragovernmental balances, 
as reported in the DHS financial statements, are complete, accurate, appropriately valued, 
belong to the Coast Guard, and presented properly in the financial statements. 
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Cause/Effect: Some of the conditions described above are related to the conditions described in Exhibit III- 
G Entity-Level Controls. The Coast Guard has general ledger structural and IT system functionality 
deficiencies that make the financial reporting process more complex and difficult. The financial reporting 
process is overly complex, labor intensive, and requires a significant number of topside adjustments 
(adjustments made outside the core accounting system for presentation of financial information given to the 
Department for consolidation). The accuracy of financial information is highly dependent on the 
knowledge and experience of a limited number of key financial personnel rather than on clearly 
documented procedural manuals and process-flow documentation. Consequently, the Coast Guard can not 
be reasonably certain that its financial statements are complete or accurate at any time. In its annual 
Assurance Statement provided to the DHS Secretary in September 2008, the Coast Guard was unable to 
provide reasonable assurance that internal controls over financial reporting are operating effectively, and 
was unable to represent to its auditors that any significant balance sheet line items, except for investments 
and contingent liabilities, are fairly stated at September 30, 2008. 

Criteria: FFMIA Section 803(a) requires that Federal financial management systems comply with 
(1) Federal accounting standards, (2) Federal system requirements, and (3) the USSGL at the transaction 
level. FFMIA emphasizes the need for agencies to have systems that can generate timely, reliable, and 
useful information with which to make informed decisions to ensure ongoing accountability. 

The Federal Managers' Financial Integrity Act of 1982 (FMFIA) requires that agencies establish internal 
controls according to standards prescribed by the Comptroller General and specified in the GAO Standards 
for Internal Control in the Federal Government (Standards). These standards define internal control as an 
integral component of an organization's management that provides reasonable assurance that the following 
objectives are being achieved: effectiveness and efficiency of operations, reliability of financial reporting, 
and compliance with applicable laws and regulations. 

The GAO Standards require that internal controls be documented in management directives, administrative 
policies or operating manuals; transactions and other significant events be clearly documented; and 
information be recorded and communicated timely with those who need it within a timeframe that enables 
them to carry out their internal control procedures and other responsibilities. 

The Treasury Federal Intragovernmental Transactions Accounting Policies Guide, dated August 15, 2008, 
and OMB Circular No. A- 136, Financial Reporting Requirements, as revised, require Federal CFO Act and 
non-CFO Act entities identified in the Treasury Financial Manual (TFM) 2008, Vol. I, Part 2-Chapter 4700, 
Agency Reporting Requirements for the Financial Report of the United States Government, to perform 
quarterly reconciliations of intragovernmental activity /balances. TFM, Section 4706, Intragovernmental 
Requirements, requires reporting agencies to reconcile and confirm intragovernmental activity and balances 
quarterly for specific reciprocal groupings. TFM Bulletin 2007-03, Intragovernmental Business Rules, also 
provides guidance to Federal agencies for standardizing the processing and recording of intragovernmental 
activities. 

Recommendations: We recommend that the Coast Guard: 

1. Implement an integrated general ledger system that is FFMIA compliant. Until an integrated general 
ledger system is implemented, ensure that all financial transactions and adjustments, including top-side 
entries, are recorded in the proper general ledger at the detail USSGL transaction level as they occur, 
and all financial statement line items should be reconciled and supported by transactional detail 
contained in the general and subsidiary ledgers; 

2. Conduct an assessment to identify and remove all non-compliant chart of account definitions, invalid 
and static accounts, identify any improper posting logic transaction codes, and identify inconsistencies 
in crosswalks to the TIER database provided to DHS OFM for consolidation; 

3. Identify and evaluate each manual and automated IT script to determine the effect on the current year 
and prior year financial statement balances, and make adjustments in the appropriate general ledger 
system, as necessary; 

4. Establish new or improve existing policies, procedures, and related internal controls to ensure that: 
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a) The year-end close-out process, reconciliation^ and financial data and account analysis 
procedures are supported by documentation, including evidence of effective management review 
and approval, and beginning balances in the following year are determined to be reliable and 
auditable; 

b) Topside adjustments toaccount balances and abnormal balances and account relationship 
discrepancies, e.g., budgetary to proprietary reconciliations, are identified, reviewed, and 
documented; 

c) Account reconciliations, for each of the three general ledgers and the monthly TIER submission, 
are performed timely each month, and differences are researched and resolved before the next 
month's reporting cycle. Reconciliations should include all funds maintained by the Coast Guard, 
including revolving, special, and trust funds; 

d) All accounts receivables are identified and comprehensive Coast Guard-wide policies and 
procedures are implemented, including internal controls at a sufficient level of detail to determine 
that the accounts receivable process is effective to support management assertions, in compliance 
with generally accepted accounting principles, for the accounts receivable balance reported on the 
Coast Guard balance sheet; and 

e) Financial statement disclosures submitted for incorporation in the DHS financial statements are 
compiled, supported, reviewed, and reported, to include the effective completion the GAO 
Disclosure Checklists and valid support for the preparation of the statement of net cost disclosure; 
and 

5. Establish a formal documented review and approval process over reconciliation activities performed by 
Coast Guard to ensure that all intragovernmental activity and balances are identified and differences 
are being resolved in a timely manner in coordination with the Department's OFM. Intragovernmental 
balances should be reconciled to supporting detail files prior to submission to OFM. 

I-B Information Technology(IT) General and Application Controls 

Background: The Coast Guard maintains three general ledger systems that support its financial statements 
and other financial data provided to DHS OFM for consolidation, which are CAS, ALMIS, and NESSS - 
described in Exhibit I-A, Financial Reporting. Our audit included a review of the Coast Guard's IT general 
controls (ITGC), and specifically in six key control areas: entity-wide security program planning and 
management, access control, application software development and change control, system software, 
segregation of duties, and service continuity. During FY 2008, the Coast Guard took actions to improve 
aspects of its ITGC to address our prior year findings; however, the Coast Guard did not make all of the 
necessary improvements that they had planned to make during the year. 

Conditions: During our FY 2008 ITGC testing, we identified 22 findings, of which 21 were repeat findings 
from prior years and one is a new finding. The ITGC and other financial system control weaknesses were 
identified at Coast Guard Headquarters and its components. We noted control deficiencies in three general 
control areas that when combined, present more than a remote possibility of materially impacting financial 
data integrity. The control deficiencies identified included: 

• Weak security configurations and excessive access to key Coast Guard financial applications, as 
well as lack of review of privileged user actions; 

• Application change control processes that are not adequately designed nor operating effectively; 
and 

• Entity-wide security program deficiencies involving personnel background checks, IT security 
awareness training, policies and procedures for prompt employee termination, and lack of finalized 
certification and accreditation documentation. 

The application change control process (second bullet), above is considered to be a material weakness 
impacting the DHS consolidated financial statements. In addition, the control deficiencies in application 
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change control processes are among the principle causes of the Coast Guard's inability to support its 
financial statement balances. See Exhibit I-A, Financial Reporting, for a discussion of the related 
conditions causing significant noncompliance with the requirements of FFMIA. Our ITGC findings are 
described in greater detail in a separate Limited Official Use (LOU) letter provided to the Coast Guard and 
DHS management. 

Cause/Effect: The Coast Guard has made progress correcting certain ITGC weaknesses identified in 
previous years. Specifically, the Coast Guard was able to close out 20 prior-year findings in the area of 
access controls, entity-wide security program, and service continuity. In addition, the Coast Guard has 
enhanced the assessment of the root cause of the ITGC weaknesses in order to effectively remediate issues; 
however, the Coast Guard was not able to fully implement all of its plans of action and milestones to 
remediate all ITGC control deficiencies in FY 2008. 

Many of these weaknesses were inherited from system development activities that did not incorporate 
strong security controls during the initial implementation of the system more than five years ago, and will 
take several years to fully address. These weaknesses exist both in the documentation of processes and the 
implementation of adequate security controls over processes and within financial systems. Specifically, 
policies and procedures supporting the operation of various processes within control areas such as change 
control were developed without taking into account required security practices. Consequently, as policies 
and procedures are updated, many Coast Guard components are challenged to move away from previous 
methodologies and fully implement and enforce these new controls. 

The effect of these ITGC weaknesses limits the Coast Guard's ability to ensure that critical financial data is 
reliable and is maintained in a manner to ensure confidentiality, integrity, and availability. In addition, as a 
result of the presence of IT weaknesses, there is added dependency on the other mitigating manual controls 
to be operating effectively at all times. Because mitigating controls often require more human 
involvement, there is an increased risk that human error could materially affect the financial statements. 

Criteria: The Federal Information Security Management Act (FISMA), passed as part of the Electronic 
Government Act of 2002, mandates that Federal entities maintain IT security programs in accordance with 
National Institute of Standards and Technology (NIST) guidance. 

OMB Circular No. A-130, Management of Federal Information Resources, describes specific essential 
criteria for maintaining effective general IT controls. 

FFMIA sets forth legislation prescribing policies and standards for executive departments and agencies to 
follow in developing, operating, evaluating, and reporting on financial management systems. The purpose 
of FFMIA is (1) to provide for consistency of accounting by an agency from one fiscal year to the next, and 
uniform accounting standards throughout the Federal Government, (2) require Federal financial 
management systems to support full disclosure of Federal financial data, including the full costs of Federal 
programs and activities, (3) increase the accountability and credibility of federal financial management, (4) 
improve performance, productivity and efficiency of Federal Government financial management, and (5) 
establish financial management systems to support controlling the cost of Federal Government. 

OMB Circular No. A-123, Management's Responsibility for Internal Control, states, "Agency managers 
should continuously monitor and improve the effectiveness of internal control associated with their 
programs. This continuous monitoring, and other periodic evaluations, should provide the basis for the 
agency head's annual assessment of and report on internal control, as required by FMFIA." This Circular 
indicates that "control weaknesses at a service organization could have a material impact on the controls of 
the customer organization. Therefore, management of cross-servicing agencies will need to provide an 
annual assurance statement to its customer agencies in advance to allow its customer agencies to rely upon 
that assurance statement. Management of cross-servicing agencies shall test the controls over the activities 
for which it performs for others on a yearly basis. These controls shall be highlighted in management's 
annual assurance statement that is provided to its customers [e.g., TSA]. Cross-servicing and customer 
agencies will need to coordinate the timing of the assurance statements." 

DHS' Sensitive Systems Policy Directive, 4300 A, as well as the DHS' Sensitive Systems Handbook 
documents policies and procedures adopted by DHS intended to improve the security and operation of all 
DHS IT systems including the Coast Guard IT systems. 



1.4 



Independent Auditors' Report 

Exhibit I - Material Weaknesses in Internal Control - U.S. Coast Guard 



The GAO's Federal Information System Controls Audit Manual (FISCAM) provides a framework and 
recommended audit procedures that are used to conduct the IT general control test work. 

Recommendations: We recommend that the DHS Office of Chief Information Officer in coordination with 
the Office of the Chief Financial Officer (OCFO) make the following improvements to the Coast Guard's 
financial management systems: 

1. Implement the recommendations in our LOU letter provided to the Coast Guard and DHS 
management, to effectively address the deficiencies identified including: (1) weak security 
configurations and excessive access to key Coast Guard financial applications, including review of as 
of privileged user actions, (2) application change control processes, and (3) entity -wide security 
program issues; 

2. Design and implement plan of action and milestones that address the root cause of the weakness; and 

3. Develop and implement policies and procedures that appropriately consider required security practices 
when supporting the operation of various processes within the change control area. 

I-C Fund Balance with Treasury 

Background: In FY 2007, we reported a material weakness in Fund Balance with Treasury (FBwT) at the 
Coast Guard. In FY 2008, the Coast Guard revised its remediation plan (FSTAR); however, the majority of 
corrective actions are scheduled to occur after FY 2008, and accordingly, many of the conditions stated 
below are repeated from our FY 2007 report. FBwT at the Coast Guard totaled approximately $5.2 billion, 
or approximately 8.3 percent of total DHS FBwT, at September 30, 2008. The majority of these funds 
represented appropriated amounts that were obligated, but not yet disbursed, as of September 30, 2008. 

Conditions: The Coast Guard has not developed and validated a comprehensive process, to include 
effective internal controls, to ensure that FBwT transactions exists and are complete and accurate. For 
example, the Coast Guard: 

• Did not maintain adequate supporting documentation that validated the accuracy for five of the six 
Coast Guard Agency Location Codes FBwT reconciliations; 

• Recorded adjustments to the general ledger FBwT accounts including adjustments to agree Coast 
Guard balances to Treasury amounts, that were unsupported and subsequently submitted to the 
Treasury; 

• Does not have an effective process for clearing of suspense account transactions related to FBwT. 
The Coast Guard lacks documented and effective policies and procedures and internal controls 
necessary to support the completeness, existence, and accuracy of suspense account transactions. 
In addition, the Coast Guard was unable to produce complete and accurate detail listings of 
suspense transactions recorded in the general ledger; and 

• Was unable to provide military and civilian payroll data to support the summary payroll 
transactions processed through the Coast Guard's FBwT. In addition, the Coast Guard lacked 
formal policies and procedures for processing and documenting all military and civilian payroll 
transactions. 

Cause/Effect: The Coast Guard had not designed and implemented accounting processes, including a 
financial system that complies with federal financial system requirements, as defined in OMB Circular No. 
A- 127, Financial Management Systems, and the requirements of the Joint Financial Management 
Improvement Program (JFMIP), now administered by the Financial Systems Integration Office (FSIO), to 
fully support the FY 2008 FBwT activity and balance as of September 30, 2008. Failure to implement 
timely and effective reconciliation processes could increase the risk of undetected errors and/or violations 
of appropriation laws, including instances of undiscovered Anti-deficiency Act violations or fraud, abuse 
and mismanagement of funds, which could lead to inaccurate financial reporting and affects DHS' ability 
to effectively monitor its budget status. 
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Criteria: Statement of Federal Financial Accounting Standards (SFFAS) No. 1 , Accounting for Selected 
Assets and Liabilities, paragraph 39 states, "Federal entities should explain any discrepancies between fund 
balance with Treasury in their general ledger accounts and the balance in the Treasury's accounts and 
explain the causes of the discrepancies in footnotes to the financial statements. (Discrepancies due to time 
lag should be reconciled and discrepancies due to error should be corrected when financial reports are 
prepared). Agencies also should provide information on unused funds in expired appropriations that are 
returned to Treasury at the end of a fiscal year." 

Per Fund Balance with Treasury Reconciliation Procedures, a Supplement to the I TFM 2-5100, Section V, 
"Federal agencies must reconcile their SGL 1010 account and any related subaccounts [. . .] on a monthly 
basis (at minimum). [.. .] Federal agencies must [. . .] resolve all differences between the balances reported 
on their G/L FBwT accounts and balances reported on the [Government-wide Accounting system (GWA)]." 
In addition, "An agency may not arbitrarily adjust its FBWT account. Only after clearly establishing the 
causes of errors and properly documenting those errors, should an agency adjust its FBWT account 
balance. If an agency must make material adjustments, the agency must maintain supporting 
documentation. This will allow correct interpretation of the error and its corresponding adjustment." 

Section 803(a) of FFMIA requires that Federal financial management systems comply with (1) Federal 
accounting standards, (2) Federal financial management system requirements, and (3) the USSGL at the 
transaction level. FFMIA emphasizes the need for agencies to have systems that can generate timely, 
reliable, and useful information with which to make informed decisions to ensure ongoing accountability. 

The GAO Standards hold that transactions should be properly authorized, documented, and recorded 
accurately and timely. 

Recommendations: We recommend that the Coast Guard: 

1 . Establish policies, procedures, and internal controls to ensure that FBwT transactions are recorded 
accurately and completely and in a timely manner, and that all supporting documentation is maintained 
for all recorded transactions. These policies and procedures should allow the Coast Guard to: 

a) Perform complete and timely FBwT reconciliations using the Treasury Government-wide 
Accounting tools; 

b) Better manage its suspense accounts to inchde researching and clearing items carried in suspense 
clearing accounts in a timely manner during the year, and maintaining proper supporting 
documentation in clearing suspense activity; and 

c) Maintain payroll data supporting payroll transactions processed through FBwT and have access to 
complete documentation, if needed. 

I-D Capital Assets and Supplies 

Background: The Coast Guard maintains approximately 59 percent of all DHS property, plant, and 
equipment (PP&E), including a large fleet of boats and vessels. Many of the Coast Guard's assets are 
constructed over a multi-year period, have long useful lives, and undergo extensive routine servicing that 
may increase their value or extend their useful lives. In FY 2008, the Coast Guard revised corrective action 
plans (FSTAR) to address the PP&E process and control deficiencies, and began remediation efforts. 
However, the FSTAR is scheduled to occur over a multi-year time-frame. Consequently, most of the 
conditions cited below have been repeated from our FY 2007 report. 

Operating Materials and Supplies (OM&S) are maintained by the Coast Guard in significant quantities and 
consist of tangible personal property to be consumed in normal operations to service marine equipment, 
aircraft, and other operating equipment. The majority of the Coast Guard's OM&S is physically located at 
either two Inventory Control Points (ICPs) or in the field. The Coast Guard's policy requires regularly 
scheduled physical counts of OM&S, which are important to the proper valuation of OM&S and its 
safekeeping. The conditions cited below for OM&S have been repeated from our FY 2007 report. 

Conditions: The Coast Guard has not: 
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Regarding PP&E: 

• Consistently applied policies and procedures to ensure appropriate documentation supporting 
PP&E acquisitions, and their existence, is maintained to support capitalized PP&E. In cases where 
original acquisition documentation has not been maintained, the Coast Guard has not developed 
and documented methodologies and assumptions to support the value of PP&E; 

• Implemented appropriate controls and related processes to accurately, consistently, and timely 
record additions to PP&E and construction in process (CIP), transfers from other agencies, 
disposals in its fixed asset system, and valuation and classification of repairable PP&E; 

• Implemented accurate and complete asset identification, system mapping, and tagging processes 
that include sufficient detail, e.g., serial number, to clearly differentiate and accurately track 
physical assets to those recorded in the fixed asset system; and 

• Properly accounted for some improvements and impairments to buildings and structures, capital 
leases, and selected useful lives for depreciation purposes, consistent with generally accepted 
accounting principles (GAAP). 

Regarding OM&S: 

• Implemented policies, procedures, and internal controls to support the completeness, accuracy, 
existence, valuation, ownership, and presentation assertions related to the FY 2008 OM&S and 
related account balances; 

• Fully designed and implemented policies, procedures, and internal controls over physical counts 
of OM&S to remediate conditions identified in previous years; 

• Properly identified (bar-coded or tagged) recorded OM&S; and 

• Established processes and controls to fully support the calculated value of certain types of OM&S 
to approximate historical cost. 

Cause/Effect: PP&E policies and procedures are not appropriately designed, consistently followed, or do 
not include sufficient controls to ensure compliance with policy or to ensure complete supporting 
documentation is maintained and readily-available. The fixed asset module of the Coast Guard's CAS is 
not updated for effective tracking and reporting of PP&E. As a result, the Coast Guard is unable to 
accurately account for its PP&E, and provide necessary information to DHS OFM for consolidated 
financial statement purposes. 

Coast Guard management deferred correction of most OM&S weaknesses reported in previous years, and 
acknowledged that the conditions we reported in prior years remained throughout FY 2008. Lack of 
comprehensive and effective policies and controls over the performance of physical counts, and appropriate 
support for valuation, may result in errors in the physical inventory process or inventory discrepancies that 
could result in financial statement misstatements. 

Criteria: SFFAS No. 6, Accounting for Property, Plant, and Equipment, provides the general requirements 
for recording and depreciating property, plant and equipment. 

The Federal Accounting Standards Advisory Board (FASAB)'s Federal Financial Account Standards 
Interpretation No. 7, dated March 16, 2007, defines "items held for remanufacture" as items "in the process 
of (or awaiting) inspection, disassembly, evaluation, cleaning, rebuilding, refurbishing and/or restoration to 
serviceable or technologically updated/upgraded condition. Items held for remanufacture may consist of: 
Direct materials, (including repairable parts or subassemblies [...]) and Work-in-process (including labor 
costs) related to the process of major overhaul, where products are restored to 'good-as-new' condition 
and/or improved/upgraded condition. 'Items held for remanufacture' share characteristics with 'items held 
for repair' and items in the process of production and may be aggregated with either class. Management 
should use judgment to determine a reasonable, consistent, and cost-effective manner to classify processes 
as 'repair' or 'remanufacture'." 
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FFMIA Section 803(a) requires each agency to implement and maintain a system that complies 
substantially with Federal financial management system requirements. OMB Circular No. A-127 
prescribes the standards for federal agencies' financial management systems. That Circular requires an 
agency's system design to have certain characteristics that include consistent "internal controls over data 
entry, transaction processing, and reporting throughout the system to ensure the validity of the information 
and protection of Federal Government resources." 

According to GAO Standards for Internal Control in the Federal Government, assets at risk of loss or 
unauthorized use should be periodically counted and compared to control records. Policies and procedures 
should be in place for this process. The FSIO publication, Inventory, Supplies, and Material System 
Requirements, states that "the general requirements for control of inventory, supplies and materials consist 
of the processes of receipt and inspection, storing, and item in transit." Specifically, the "placement into 
inventory process" requires that an agency's inventory, supplies and materials system must identify the 
intended location of the item and track its movement from the point of initial receipt to its final 
destination." SFFAS No. 3, Accounting for Inventory and Related Property, states OM&S shall be valued 
on the basis of historical cost. 

Recommendations: We recommend that the Coast Guard: 
Regarding PP&E: 

1. Improve controls and related processes and procedures to ensure that documentation supporting 
existing PP&E acquisitions, additions, transfers, and disposals, to include the CIP process, is 
maintained to support capitalized PP&E; 

2. Implement processes and controls to record PP&E transactions accurately, consistently, and timely in 
the fixed asset system; record an identifying number in the fixed asset system at the time of asset 
purchase to facilitate identification and tracking; and ensure that the status of assets is accurately 
maintained in the system; 

3. Revise procedures for performing physical inventories of repairable items, to include procedures for 
resolving differences and reporting results, to ensure that repairable PP&E is accurately and 
completely classified and recorded. Support the pricing methodology used to value repairable PP&E to 
ensure that balances, as presented in the financial statements, approximate amortized historical cost; 
and 

4. Review policies and procedures to account for improvements and impairments to buildings and 
structures, capital leases, and identify proper useful lives for depreciation purposes in accordance with 
GAAP. 

Regarding OM&S: 

5. Update OM&S physical count policies, procedures, and controls, and provide training to personnel 
responsible for conducting physical inventories, and include key elements of an effective physical 
inventory in the policies; 

6. Consider adopting an inventory control system for OM&S as a method of tracking usage and 
maintaining a perpetual inventory of OM&S on hand; and 

7. Establish processes and controls to support the calculated value of OM&S to ensure accounting is 
consistent with GAAP. 

I-E Actuarial and Other Liabilities 

Background: The Coast Guard maintains pension, medical, and post employment travel benefit programs 
that require actuarial computations to record related liabilities for financial reporting purposes. The 
Military Retirement System (MRS) is a defined benefit plan that covers both retirement pay and health care 
benefits for all active duty and reserve military members of the Coast Guard. The medical plan covers 
active duty, reservists, retirees/survivors and their dependents that are provided care at Department of 
Defense (DoD) medical facilities. The post employment travel benefit program pays the cost of 



1.8 



Independent Auditors' Report 

Exhibit I - Material Weaknesses in Internal Control - U.S. Coast Guard 



transportation for uniformed service members upon separation from the Coast Guard. Annually, participant 
and cost data is extracted by the Coast Guard from its records and provided to an actuarial firm as input for 
the liability calculations. The accuracy of the actuarial liability as reported in the financial statements is 
dependent on the accuracy and completeness of the underlying participant and cost data provided to the 
actuary as well as the reasonableness of the assumptions used. A combined unfunded accrued liability of 
approximately $30. 1 billion for the plans is reported in the DHS consolidated balance sheet as of 
September 30, 2008. 

The Coast Guard estimates accounts payable as a percentage of undelivered orders (UDOs) based on 
historical trends. As described in Exhibit I-F, Budgetary Accounting, reliable accounting processes 
surrounding the recording of obligations and disbursements, and tracking of UDOs, are key to the accurate 
reporting of accounts payable in the Coast Guard's financial statements. 

The Coast Guard's environmental liabilities consist of two main types: shore facilities and vessels. Shore 
facilities include any facilities or property other than ships, e.g., buildings, fuel tanks, lighthouses, small 
arms firing ranges (SAFRs), etc. 

The Coast Guard estimates its legal liabilities to include Oil Spill Liability Trust Fund claims that are 
incorporated, and recorded, as part of the DHS legal liability on DHS financial statements. 

Conditions: We noted the following internal control weaknesses related to actuarial and other liabilities. 
The Coast Guard does not: 

• Have effective policies, procedures, and controls to ensure the completeness and accuracy of 
participant data, medical cost data, and trend and experience data provided to, and used by, the 
actuary for the calculation of the MRS pension, medical, and post employment benefit liabilities. 
Reconciliations between subsidiary and general ledger amounts for medical expenditures are not 
effective; 

• Have effective policies, procedures and internal controls over the Coast Guard's process for 
reconciling military payroll recorded in the CAS general ledger to detail payroll records. Military 
personnel data changes, including changes in leave balances and payroll corrections, are not 
processed in the appropriate payroll and/or reporting periods, and consequently impact the 
completeness and accuracy of leave and payroll accruals as well as data used for actuarial 
projections; 

• Use a reliable methodology to estimate accounts payable. The method used was not supported as 
to the validity of data, assumptions, and criteria used to develop and subsequently validate the 
reliability of the estimate for financial reporting; and 

• Support the completeness, existence, and accuracy assertions of the data utilized in developing the 
estimate for the FY 2008 environmental liability account balance. The Coast Guard has not fully 
developed, documented, and implemented the policies and procedures in developing, preparing, 
and recording the environmental liability estimates related to shore facilities, and has not approved 
policies and procedures for the review of the environmental liability estimate related to vessels. 

Cause/Effect: Much of the data required by the actuary comes from personnel and payroll systems that are 
outside of the Coast Guard's accounting organization and are instead managed by the Coast Guard's 
Personnel Service Center (PSC). The Coast Guard has not updated its experience study since 2006, which 
contained several errors, and therefore, management is unable to provide assurance on the completeness 
and accuracy of the experience study which affects the completeness and accuracy of actuarially 
determined liabilities as stated in the DHS consolidated balance sheet at September 30, 2008. In addition, 
the Coast Guard does not have sufficient controls to prevent overpayments for medical services. Thus, 
inaccurate medical costs submitted to the Coast Guard actuary could result in a misstatement of the 
actuarial medical liability and related expenses. 

The Coast Guard has not yet developed comprehensive policies and procedures or corrective action plans to 
address the conditions above, and consequently, management is unable to assert to the accuracy and 
completeness of the accounts payable and payroll accruals recorded as of September 30, 2008. 
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Criteria: According to SFFAS No. 5, Accounting for Liabilities of the Federal Government, paragraph 95, 
the employer should recognize an expense and a liability for other post employment benefits (OPEB) when 
a future outflow or other sacrifice of resources is probable and measurable on the basis of events occurring 
on or before the reporting date. Further, the long-term OPEB liability should be measured at the present 
value of future payments, which requires the employer to estimate the amount and timing of future 
payments, and to discount the future outflow over the period for which the payments are to be made. 

The GAO Standards hold that transactions should be properly authorized, documented, and recorded 
accurately and timely. SFFAS No. 1 states, "When an entity accepts title to goods, whether the goods are 
delivered or in transit, the entity should recognize a liability for the unpaid amount of the goods. If 
invoices for those goods are not available when financial statements are prepared, the amounts owed should 
be estimated." 

Statement on Auditing Standards (SAS) No. 57, Auditing Accounting Estimates, states "An entity's internal 
control may reduce the likelihood of material misstatements of accounting estimates." The standard 
specifically identifies, "accumulation of relevant, sufficient, and reliable data on which to base an 
accounting estimate," and "comparison of prior accounting estimates with subsequent results to assess the 
reliability of the process used to develop estimates" as two relevant aspects of internal control. 

Federal Accounting Standards Advisory Board (FASAB) Technical Release No. 2, Determining Probable 
and Reasonably Estimable for Environmental Liabilities in the Federal Government, states that an agency 
is required to recognize a liability for environmental cleanup costs as a result of past transactions or events 
when a future outflow or other sacrifice of resources is probable and reasonably estimable. Probable is 
related to whether a future outflow will be required. Reasonably estimable relates to the ability to reliably 
quantify in monetary terms the outflow of resources that will be required. 

Recommendations: We recommend that the Coast Guard: 

Regarding actuarial liabilities: 

1. Establish and document policies, procedures, and effective controls to ensure the completeness and 
accuracy of the actuarial pension, medical, and post employment travel benefit liabilities; 

2. Establish and document policies, procedures, and effective controls to ensure the completeness and 
accuracy of participant data, medical cost data, and trend and experience data provided to, and used by, 
the actuary for the calculation of the MRS pension, medical, and post employment travel benefit 
liabilities; and 

3. Perform a periodic reconciliation between the medical expenditures recorded in the subsidiary ledger 
and those recorded in the CAS, and address differences before data is provided to the actuary. This 
reconciliation should be performed for all significant sources of medical actuarial data, including 
TriCare, and DoD Military Treatment Facilities (MTFs). In addition, this reconciliation should be 
reviewed by someone other than the preparer to ensure accuracy. 

Regarding accounts payable and payroll: 

4. Analyze and make appropriate improvements to the methodology used to estimate accounts payable 
and support all assumptions and criteria with appropriate documentation to develop and subsequently 
validate the estimate for financial reporting; and 

5. Implement corrective action, including appropriately designed and implemented internal controls, to 
support the completeness, existence, and accuracy of changes in member personnel data records and 
military payroll transactions, and to include recorded accrued military leave and payroll liabilities. 

Regarding environmental liabilities: 

6. Develop consistent written agency-wide policies, procedures, processes, and controls to ensure 
identification of and recording of all environmental liabilities, define the technical approach, cost 
estimation methodology, and overall financial management oversight of its environmental remediation 
projects. The policies should include: 
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a) Procedures to ensure the proper calculation and review of cost estimates for consistency and 
accuracy in financial reporting, including the use of tested modeling techniques, use of verified 
cost parameters, and assumptions; 

b) Periodically validate estimates against historical costs; and 

c) Ensure that detailed cost da^a is maintained and reconciled to the general ledger. 

I-F Budgetary Accounting 

Background: Budgetary accounts are a category of general ledger accounts where transactions related to 
the receipt, obligation, and disbursement of appropriations and other authorities to obligate and spend 
agency resources are recorded. Each Treasury Account Fund Symbol (TAFS) with separate budgetary 
accounts must be maintained in accordance with OMB and Treasury guidance. The Coast Guard has over 
90 TAFS covering a broad spectrum of budget authority, including annual, multi-year, and no-year 
appropriations; and several revolving, special, and trust funds. In addition, the Coast Guard estimates 
accounts payable at year end as a percentage of UDOs based on historical trends. Reliable accounting 
processes surrounding obligations, UDOs and disbursements are key to the accurate reporting of accounts 
payable in the DHS consolidated financial statements. 

Conditions: We noted the following internal control weaknesses related to budgetary accounting, many of 
which were repeated from our FY 2007 report. 

• The policies, procedures and internal controls over the Coast Guard's process for validation and 
verification of UDO balances are not effective to ensure that recorded obligations and UDO 
balances were complete, valid, accurate, and that proper approvals and supporting documentation 
is maintained. 

• Procedures used to record commitment/obligations and internal controls within the process have 
weaknesses that could result in obligations of funds in excess of the apportioned and/or allotted 
amounts. In addition, the Coast Guard has not fully implemented current policies and procedures 
to monitor un-obligated commitment activity in CAS throughout the fiscal year as only a de- 
commitment process is executed at year end. 

• The Coast Guard's procedures, processes, and internal controls in place to verify the completeness 
and accuracy of the year-end obligation pipeline adjustment to record all executed obligations were 
not properly designed and implemented. These deficiencies affected the completeness, existence, 
and accuracy of the year-end "pipeline" adjustment that was made to record obligations executed 
before year end. 

• Automated system controls are not effectively used to prevent the processing of procurement 
transactions by an individual who does not have warrant authority, or by contracting officer's with 
expired warrant authority. 

Cause/Effect: Several of the Coast Guard's budgetary control weaknesses can be corrected by 
modifications or improvements to the financial accounting system, process improvements, and 
strengthened policies and internal controls. Weak controls in budgetary accounting, and associated 
contracting practices increase the risk that the Coast Guard could violate the Anti-deficiency Act and 
overspend its budget authority. The financial statements are also at greater risk of misstatement. The 
untimely release of commitments may prevent funds from being used timely for other purposes. 

Criteria: According to the Office of Federal Financial Management's Core Financial System 
Requirements, dated January 2006, an agency's core financial management system must ensure that an 
agency does not obligate or disburse funds in excess of those appropriated or authorized, and "the 
Budgetary Resource Management Function must support agency policies on internal funds allocation 
methods and controls." The Federal Acquisition Regulation (FAR) Section 1.602 addresses the authorities 
and responsibilities granted to contracting officers. Treasury's USSGL guidance at TFM S2 08-03 (dated 
August 2008) specifies the accounting entries related to budgetary transactions. 



1.11 



Independent Auditors' Report 

Exhibit I - Material Weaknesses in Internal Control - U.S. Coast Guard 



FFMIA Section 803(a) requires that each Agency implement and maintain a system that complies 
substantially with Federal financial management system requirements. OMB Circular No. A-127 sets forth 
the standards for federal financial management systems. 

Recommendations: We recommend that the Coast Guard: 

1. Improve policies, procedures, and the design and effectiveness of controls related to processing 
obligation transactions, including periodic review and validation of UDOs. Emphasize to all fund 
managers the need to perform effective reviews of open obligations, obtain proper approvals, and 
retain supporting documentation; 

2. Revise controls and related policies and procedures to periodically review commitments; 

3. Improve procedures, processes, and internal controls to verify the completeness and accuracy of the 
year-end obligation pipeline adjustment to record all executed obligations for financial reporting; and 

4. Establish automated system controls to prevent incurring a commitment/obligation in excess of 
established targets so that funds are not obligated in excess of the apportioned and allotted amounts 
and preclude the processing of procurement transactions if the contracting officer's warrant authority 
had expired. 
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II-A Financial Reporting (TSA and FEMA) 

Background: Since 2006, the Transportation Security 
Administration (TSA) has had difficulty establishing baseline 
accounting policies, procedures, and processes, with well- 
designed and effective internal controls. The transition to the 
Coast Guard's Core Accounting System (CAS) for its primary 
general ledger required the development and implementation of 
many new accounting processes and procedures, some of which 
were needed to mitigate information technology (IT) general 
control weaknesses that currently exist in CAS. In FY 2007, 
TSA adopted a two-year corrective action plan to address its 
financial reporting and other accounting internal control 
weaknesses, and progress has been made in correcting some 
material weaknesses identified in FY 2007. In addition, since FY 
2006, TSA has made progress in building its financial reporting 
infrastructure and ability to support account balances. However, 
audit procedures performed by us identified additional and more 
serious financial reporting control weaknesses, some of which 
have existed since the agency's inception. As a result, TSA 
management was unable to assert that the entire balance sheet is 
fairly stated in compliance with generally accepted accounting principles (GAAP). In addition, we are now 
reporting weaknesses in entity-level controls at TSA (See Comment III-G, Entity Level Controls). 

The Federal Emergency Management Agency (FEMA)'s accounting and financial reporting processes must 
support multi-faceted operations such as temporary assistance funds, disaster relief loans, national flood 
insurance programs, stockpiles of essential supplies, mission assignments to other federal agencies for 
restoration and reconstruction, and grants to state and local governments. These programs are sometimes 
subject to complicated accounting rules, as defined by the Federal Accounting Standards Advisory Board 
(FASAB), and require specialized technical knowledge to interpret and apply. In addition, FEMA's 
accounting personnel and IT systems need to be ready to mobilize and support disaster operations with 
little advance notice, while also maintaining effective internal controls over financial reporting. In FY 
2008, FEMA made substantial progress toward correcting three material weaknesses we reported in FY 
2007 and was able to assert to the completeness and accuracy of all financial statement balances except 
capital assets. While FEMA has taken positive steps in FY 2008, financial reporting control deficiencies 
existed throughout the year that, in aggregate, are considered a material weakness. 

In FY 2008, the Department of Homeland Security (DHS or the Department) Headquarters (HQ) corrected 
its material weakness over financial reporting. 

Conditions: We noted the following internal control weaknesses related to financial reporting at TSA and 
FEMA: 

1. TSA: 

• Has not always followed policies and procedures that require supervisory reviews of financial 
statements and supporting documentation, and supervisory reviews performed have not been 
effective in identifying some material errors in the financial statements. For example TSA: 

Routinely prepares the Government Accountability Office (GAO) accounting and disclosure 
checklists (FAM 2010 and 2020), as required by the Department; however, the completion of 
the checklists was not effective in identifying material errors in accounting for and 
presentation of property, plant and equipment. Consequently, TSA and the Department 
recorded restatements totaling more than $400 million to it FY 2007 financial statements in 
FY 2008 (see below and Comment II-D, Capital Assets and Supplies); and 

Did not properly review and support 4 out of 27 journal vouchers sampled. Three out of the 
four exceptions resulted in incorrect postings to the general ledger. 
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• Places inappropriate reliance on the audit as a control over financial reporting. Audit tests 
performed by the financial statement auditor routinely identify incomplete analysis and 
documentation of account balance reconciliations, which have lead to the discovery of errors in 
financial reporting by the auditor; 

• Does not have effective procedures over the review and approval of accounting data provided to 
and/or received from contractors or outside specialists retained by TSA to support the financial 
statement audit. For example: 

Data used in computation of the year-end accounts payable accrual was inaccurate, resulting in 
an erroneous reported balance; and 

Information prepared by subcontractors supporting material adjustments made to the financial 
statements was not adequately reviewed by management before it was provided to the auditor. 

• Has not developed and implemented procedures to fully analyze the effects of its current and 
newly adopted accounting policies to ensure full compliance with GAAP. For example, TSA: 

Modified its capitalization threshold twice in FY 2008 in response to auditor inquiries 
regarding the appropriateness of the dollar threshold; 

Restated its FY 2007 financial statements to correct an understatement of property, plant and 
equipment totaling approximately $87 million, caused by adopting a capitalization threshold 
that was determined to be too high; and 

Did not perform an analysis of contingent liabilities that could aggregate to a material liability 
prior to the auditor's inquiry. 

• Did not fully reconcile its intragovernmental balances with trading partners. For example, TSA: 

Did not confirm its reporting, or identify the cause of the difference, with the Department of 
Transportation in the Material Differences Report for the third quarter; and 

Reported in its CFO Certification form sent to DHS Office of Financial Management (OFM) 
that TSA was unable to fully identify and present its intragovernmental balances and 
transactions by trading partner as of June 30, 2008, and therefore was unable to provide 
supporting documentation to OFM as requested. 

2. FEMA: 

• Does not have a sufficient number of experienced financial managers and staff to address non- 
routine accounting issues timely. A lack of skilled accounting resources has contributed to 
FEMA's inability to perform important accounting functions timely throughout FY 2008. For 
example, we noted that FEMA: 

Did not prepare and record adjustments for its National Flood Insurance Program (NFIP) 
accurately. Several errors were identified after submission of FEMA's interim financial 
information to OFM. In addition, certain of these journal entries were recorded in the general 
ledger prior to final review and approval of the supporting documentation; and 

Did not establish an accounts payable accrual for certain outstanding obligations, and did not 
validate a supportable estimate of accounts payable throughout the year for certain other 
outstanding obligations, requiring a change in methodology in early October to ensure proper 
year-end reporting. 

• Lacks segregation of duties in financial reporting roles, and consequently does not have sufficient 
supervisory review processes over all material accounts. For example, we identified an error in 
accounting for undelivered orders totaling approximately $1.5 billion, where the balance was not 
adequately reviewed and approved by a second supervisory level person. 

• Did not fully reconcile its intragovernmental balances with trading partners. Differences related to 
FEMA's transactions and balances were identified in the Department of the Treasury's Material 
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Differences Report for the first three quarters of the fiscal year. In some cases, FEMA could not 
confirm or support reported balances or identify the reason for the differences. 

Cause/Effect: TSA's corrective action plans, initiated in FY 2007, did not project full remediation of 
control deficiencies until FY 2009. Further, it was necessary for TSA to defer certain corrective actions to 
devote more resources to its review and correction of errors discovered in capital asset balances during FY 
2008. Material errors discovered by the outside auditor are an indicator of continued material weaknesses 
in internal control over financial reporting. TSA's service provider could not provide the breakout of 
intragovernmental activity by trading partner. 

FEMA maintains a relatively small headquarters financial and accounting staff compared to its diverse 
programmatic and mission focused objectives, and has experienced high turn-over in financial management 
and accounting personnel in FY 2008. FEMA also committed substantial human and financial resources to 
reconcile and correct potential errors in account balances that contributed to qualifications of our FY 2007 
Independent Auditors' Report. As a result, sufficient resources were not available to fully address control 
deficiencies in other areas. 

Criteria: Office of Management and Budget (OMB) Circular No. A- 1 23 , Management 's Responsibility for 
Internal Control, defines management's responsibility for internal control and provides guidance to Federal 
managers on improving the accountability and effectiveness of Federal programs and operations by 
establishing, assessing, correcting, and reporting on internal control. Within the organizational structure, 
management must clearly: define areas of authority and responsibility; appropriately delegate the authority 
and responsibility throughout the agency; establish a suitable hierarchy for reporting; support appropriate 
human capital policies for hiring, training, evaluating, counseling, advancing, compensating, and 
disciplining personnel; and uphold the need for personnel to possess and maintain the proper knowledge 
and skills to perform their assigned duties as well as understand the importance of maintaining effective 
internal control within the organization. 

OMB Circular No. A-50, Audit Follow-Up, states that corrective action taken by management on resolved 
findings and recommendations is essential to improving the effectiveness and efficiency of Government 
operations. Each agency shall establish systems to assure the prompt and proper resolution and 
implementation of audit recommendations. These systems shall provide for a complete record of action 
taken on both monetary and nonmonetary findings and recommendations. 

The Treasury Federal Intragovernmental Transactions Accounting Policies Guide, dated August 15, 2008, 
and OMB Circular No. A-136, Financial Reporting Requirements, as revised, require Federal CFO Act and 
non-CFO Act entities identified in the Treasury Financial Manual (TFM) 2008, Vol. I, Part 2-Chapter 4700, 
Agency Reporting Requirements for the Financial Report of the United States Government, to perform 
quarterly reconciliations of intragovernmental activity/balances. TFM, Section 4706, Intragovernmental 
Requirements, requires reporting agencies to reconcile and confirm intragovernmental activity and balances 
quarterly for specific reciprocal groupings. TFM Bulletin 2007-03, Intragovernmental Business Rules, also 
provides guidance to Federal agencies for standardizing the processing and recording of intragovernmental 
activities. 

Recommendations: We recommend that: 
1. TSA: 

a) Adhere to established policies and proceduresrequiring supervisory review of financial 
information, supporting documentation, and account balance reconciliations, to ensure that all 
material errors in the financial statements are identified and corrected timely. 

b) Develop and implement policies and procedures to: 

i) Require supervisory reviews of accourting transactions (particularly non-routine 

transactions), and accounting data provided to and received from contractors and outside 
specialists, and adequately supervise and review work performed by accounting staff and 
contractors; 
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ii) Analyze changes in accounting pdicy prior to their implementation, including steps to 
determine whether the implementation would result in a non-compliance with GAAP; 

iii) Assign documented accountability for supervisory reviews; and 

iv) Eliminate reliance on the outside auditor as a control over the accuracy and completeness of 
financial statements, and the sufficiency of account level reconciliations. 

c) Work with its accounting service provider to ensure that the proper trading partner code is 
recorded for each intragovernmental transaction. Until such time, TSA should consistently 
perform its manual process for the timely identification and reporting of trading partners for 
intragovernmental activities and balances. 

2. FEMA: 

a) Evaluate the effect of its FY 2008 reorganization in the Office of the Chief Financial Officer 
(OCFO) to ensure that current positions are filled with personnel with the requisite skills, and 
abilities necessary to ensure that important accounting functions, including non-routine and 
complex transactions, are addressed and accurately accounted for in the general ledger timely; 

b) Establish clear managementoversight responsibilities and processes to effectively review NFIP 
journal vouchers; 

c) Assign accounting functions and responsibilitiesof accounting staff to ensure proper segregation 
of duties and supervisory reviews of material transactions and account balance reconciliations; and 

d) Develop and implement procedures to propery research and reconcile its intragovernmental 
balances to supporting schedules and to trading partners. 

II-B Information Technology General and Application Controls 

Background: IT general and application controls are essential to achieving effective, reliable reporting of 
financial and performance data. Effective IT general controls are typically defined by the GAO's Federal 
Information System Controls Audit Manual (FISCAM) in six key control areas: entity-wide security 
program planning and management, access control, application software development and change control, 
system software, segregation of duties, and service continuity. In addition to IT general controls, financial 
systems contain application controls, which are the structure, policies, and procedures that apply to use, 
operability, interface, edit and monitoring controls of an application. 

During FY 2008, DHS civilian components made progress in strengthening its IT general controls, which 
resulted in the closure of more than 40% of our prior year IT control findings. Additionally, some DHS 
components reduced the severity of the weaknesses when compared to findings reporting in the prior year. 

Conditions: The FISCAM IT general and application control areas that continue to present a risk to 
financial systems data integrity include: 

• Excessive access to key DHS financial applications, including weaknesses in access 
documentation and approval, disabling account access upon termination, instances of inadequate or 
weak passwords, configuration of workstations, servers, or network devices without necessary 
computer software patches, inactivity time-outs, and up-to-date anti-virus software. 

• Application change control processes that are inappropriate, not fully defined, followed, or 
effective, including instances where changes made to the system were not always properly 
approved, tested, documented, or performed through System Change Requests (SCRs); instances 
where policies and procedures regarding change controls were not in place to prevent users from 
having concurrent access to the development, test, and production environments of the system, or 
for restricting access to application system software and system support files; and policies and 
procedures surrounding the system development life cycle (SDLC) process that have not been 
documented or finalized. 
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• Service continuity issues impacting DHS' ability to ensure that DHS financial data is available 
when needed, including instances where the Continuity of Operations Plan (COOP) did not include 
an accurate listing of critical information technology systems, did not have critical data files, and 
an alternate processing facility was not adequately tested and documented, and various weaknesses 
identified in alternate processing sites. 

Our findings, including significant deficiencies that do not rise to the level of being a material weakness, 
are described in greater detail in a separate Limited Official Use letter provided to DHS' Office of Inspector 
General (OIG) and management. 

Cause/Effect: Many of these weaknesses were inherited from the legacy agencies that came into DHS, or 
system development activities that did not incorporate strong general computer controls from the outset and 
will take several years to fully address. A contributing cause to repeated findings is that DHS lacks an 
effective component-wide prioritization of IT systems issues, including the development of a stable 
centralized IT platform for the Department. When weaknesses in controls or processes are identified, the 
corrective actions address the symptom of the problem and do not always correct the root cause - 
amounting to a temporary fix. The time and resources needed to implement corrective actions necessary to 
mitigate the weaknesses often take multiple years. 

The conditions supporting our findings collectively limit DHS' ability to ensure that critical financial and 
operational data is kept secure and is maintained in a manner to protect confidentiality, integrity, and 
availability. Many of these weaknesses, especially those in the area of change controls, may result in 
material errors in DHS' financial data that are not detected in a timely manner in the normal course of 
business. In addition, as a result of the presence of IT weaknesses, there is added pressure on the other 
mitigating manual controls to be operating effectively at all times. Because mitigating controls often 
require more human involvement, there is an increased risk of human error that could materially affect the 
financial statements. 

Criteria: The Federal Information Security Management Act (FISMA) passed as part of the E- 
Government Act of 2002, mandates that Federal entities maintain IT security programs in accordance with 
National Institute of Standards and Technology (NIST) guidance. 

OMB Circular No. A- 130, Management of Federal Information Resources, describes specific essential 
criteria for maintaining effective general IT controls. 

The Federal Financial Management Improvement Act (FFMIA) set forth legislation prescribing policies 
and standards for executive departments and agencies to follow in developing, operating, evaluating, and 
reporting on financial management systems. The purpose of FFMIA is: (1) to provide for consistency of 
accounting by an agency from one fiscal year to the next, and uniform accounting standards throughout the 
Federal Government; (2) require Federal financial management systems to support full disclosure of 
Federal financial data, including the full costs of Federal programs and activities; (3) increase the 
accountability and credibility of federal financial management; (4) improve performance, productivity and 
efficiency of Federal Government financial management; and (5) establish financial management systems 
to support controlling the cost of Federal Government. 

DHS' Sensitive Systems Policy, 4300 A, documents policies and procedures adopted by DHS intended to 
improve the security and operation of all DHS IT systems. 

The FISCAM provides a framework and recommended audit procedures that are used to conduct the IT 
general and application control test work on financial information systems. 

Recommendations: We recommend that the DHS Office of the Chief Information Officer, in coordination 
with the Office of the Chief Financial Officer (OCFO), make the recommended improvements to the 
Department's financial management systems in FY 2009. Specific recommendations are provided in a 
separate Limited Official Use letter provided to DHS management. 

II-C Not Used 
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II-D Capital Assets and Supplies (FEMA, TSA, and CBP) 

Background: FEMA has several internal use software programs 
that were either in development or in operation during FY 2008. 
In FY 2008, in response to auditor inquiries, FEMA initiated a 
review of its internal use software costs, but did not complete the 
analysis before DHS completed its FY 2008 Annual Financial 
Report (AFR). Consequently, FEMA was unable to assert that 
its capital asset balances, related to internal use software, are 
fairly stated at September 30, 2008. 

In FY 2008, FEMA substantially corrected its control deficiencies over stockpile inventory. 

TSA manages baggage X-ray, explosive, screening, and other equipment as part of its business. This 
equipment, in every major U.S. airport, is owned and maintained by TSA. The processes required to 
procure, ship, temporarily store, install, operate, and maintain this equipment are substantial, and consume 
a large portion of TSA's annual operating budget. Unique accounting processes and systems are necessary 
to track the status and accumulate costs, and to accurately value, account for, and depreciate the equipment. 
In FY 2008, in response to auditor inquires, TSA initiated various reviews of its capital assets and 
identified errors in its accounting for equipment used in airports that required a number of restatements to 
the FY 2007 financial statement balances, and current year corrections. These conditions also prevented 
TSA from asserting that its capital asset balances at September 30, 2008 are fairly stated prior to the 
completion of the DHS FY 2008 AFR. 

The Customs and Border Protection (CBP)'s Secure Border Initiative (SBI) is a comprehensive multi-year 
plan to secure America's borders and reduce illegal immigration. The primary step in fulfilling this plan is 
to construct a fence along the border of the U.S. and Mexico. This fence will take many forms (i.e., 
physical, virtual, etc.) depending on the terrain of the land. Much of the physical fence will be constructed 
of steel, which has been purchased in bulk by CBP. Once a construction project is completed, the costs in 
construction-in-progress (CIP) are moved to Property, Plant, and Equipment (PP&E). As the SBI initiative 
is not part of CBP's normal course of business, CBP did not timely implement processes to record these 
transactions properly. 

In FY 2008, US-Visit corrected its control deficiency over internal use software. 

Conditions: We noted the following internal control weaknesses related to capital assets and supplies at 
FEMA, TSA, and CBP: 

1. FEMA: 

• Does not have sufficient policies and procedures to routinely account for costs incurred to develop 
internal use software consistent with GAAP. For example, FEMA: 

Did not record estimated or actual amounts for several internal use software programs under 
development in FY 2008, and alternatively, did not assess that the related capitalizable 
amounts were immaterial; 

Has historically recorded an estimate of the capitalizable costs of internal use software on an 
annual basis, instead of the actual costs incurred; 

Does not have policies and procedures to periodically assess the reliability of the internal use 
software estimates recorded, such as a comparison of estimates to actual costs; 

Did not record internal use software in a separate account from internal use software in 
development as required by the United States Standard General Ledger (USSGL); and 

Did not consistently begin amortization of software costs when the asset was placed in service. 

• Does not have adequate policies and procedures to accurately identify and account for the various 
stages of software development costs that would enable FEMA to identify the costs that should be 
capitalized and those that should be expensed as incurred. 
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2. TSA: 

• Does not have policies and procedures in place to properly account for and report equipment and 
internal use software balances. For example, TSA did not: 

Perform a periodic analysis of idle assets stored in a warehouse and adjust the carrying value 
of those assets to net realizable value (NRV), if necessary, as required by GAAP. TSA 
recorded an adjustment totaling $95.9 million to properly present idle assets at NRV in the FY 
2008 financial statements, of which $1.6 million was to restate its FY 2007 financial 
statements; 

Identify and properly account for other direct costs incurred to transport, store, and install 
screening equipment at airports. TSA recorded an adjustment totaling $108.5 million to restate 
its FY 2007 financial statements to correct this error; 

Identify and account for software developed for internal use in compliance with the 
requirements of GAAP, since the inception of the Agency in 2002. TSA recorded an 
adjustment totaling $260.6 million in FY 2008, of which $212.9 million was a restatement of 
its FY 2007 financial statements to correct this error; and 

Depreciate some of its screening equipment using appropriate useful lives. TSA recorded an 
adjustment totaling $ 28.6 million in FY 2008, of which $17.3 million was a restatement of its 
FY 2007 financial statements to correct for this error. 

• Did not adopt an appropriate asset capitalization dollar threshold, (where asset purchases above a 
certain dollar value are capitalized, and below which are expensed). The dollar threshold used 
during FY 2008 and prior years was set too high, resulting in a material understatement of 
capitalized asset balances in prior years, and as of September 30, 2008 (See Comment II-A, 
Financial Reporting). 

3. CBP: 

• Did not adopt adequate policies and procedures in place to properly account for steel purchases and 
construction of the U.S. border fence accurately and timely. CPB initially recorded some capital 
asset purchases, related to the U.S. border fence construction as an expense, and several months 
later, properly reversed and capitalized the assets. For example, as of the end of August 2008, 
$224 million of steel was purchased; however, none was recorded as a capital asset until 
September 2008. 

• Does not have adequate accounting processes and controls to ensure that transfers of assets from 
CIP to completed PP&E are recorded in the general ledger timely. As a result, CBP performed a 
review of asset additions to quantify the impact of the untimely transfers. As of September 30, 
2008, CBP recorded an additional $48 million in accumulated depreciation and depreciation 
expense to correct for the identified errors. 

Cause/Effect: FEMA has not devoted attention to accounting for software development in the past 
assuming the costs incurred to develop software for internal use were immaterial for DHS consolidated 
financial reporting purposes. However, in recent years, FEMA has increased its expenditures on internal 
use software to update its IT systems and improve their capabilities to support its mission. Although 
FEMA's Office of the Chief Financial Officer (OCFO) attempted to gather certain costs to capitalize in the 
second half of FY 2008, the data needed to account for the software costs could not be easily obtained from 
other offices. FEMA and DHS financial statements could be materially misstated without better processes 
for tracking and accounting for internal use software costs. 

TSA management was not fully aware of the accounting requirements of SFFAS No. 6, Accounting for 
Property, Plant, and Equipment, until auditor inquiries led TSA to investigate its accounting policies for 
equipment, particularly related to internal use software and treatment of other direct costs. This control 
deficiency is also related to the conditions described in Comment II-A, Financial Reporting, and Comment 
III-G, Entity Level Controls. Extensive resources, including contractor assistance, were committed in FY 
2008 in an attempt to identify the full extent of the error, and properly account for capital assets; however, 
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considering the scale of the project, management was not able to fully complete the work prior to the 
completion of the DHS 2008 AFR. 

As the SBI initiative is not part of CBP's normal course of business, CBP did not timely implement 
processes to record these transactions properly. Accordingly, for several months throughout the year, 
CBP's financial statements did not accurately reflect the construction activity. 

Criteria: SFFAS No. 10, Accounting for Internal Use Software, provides requirements for the 
capitalization and reporting of internal use software development costs. Per paragraph 16, the capitalizable 
cost should include "....the full cost (direct and indirect) incurred during the software development stage. 
Per SFFAS No. 10, paragraphs 18-20, "For COTS [Commercial off-the-shelf] software, capitalized cost 
should include the amount paid to the vendor for the software. For contractor-developed software, 
capitalized cost should include the amount paid to a contractor to design, program, install, and implement 
the software. Material internal cost incurred by the federal entity to implement the COTS or contractor- 
developed software and otherwise make it ready for use should be capitalized. . .Costs incurred after final 
acceptance testing has been successfully completed should be expensed." 

Per the USSGL TFM S2 08-03, Part I Fiscal Year 2008 Reporting, Accounts and Definitions, account 
1832, Internal Use Software in Development, "includes the full cost, as defined in FASAB SFFAS No. 10, 
Accounting for Internal Use Software, incurred during the software development stage of (1) contractor- 
developed software, and (2) internally developed software. Upon completion, these costs will be 
transferred to USSGL account 1830, Internal Use Software." 

SFFAS No. 6, paragraph 38, states that general PP&E along with associated accumulated 
depreciation/amortization should be removed from the asset accounts in the period of disposal, retirement, 
or removal from service. Any difference between the book value of the PP&E and amounts realized should 
be recognized as a gain or loss in that period. SFFAS No. 6 requires all costs incurred to place an asset in 
service, including transportation, storage, and installation costs, to be capitalized and depreciated over the 
asset's useful life. Also, SFFAS No. 6 requires that upon completion of a construction project, costs should 
be capitalized into fixed assets. 

GAO Standards for Internal Control in the Federal Government (Standards) require that internal control 
and all transactions and other significant events be clearly documented and readily available for 
examination. The Joint Financial Management Improvement Program (JFMIP), Property Management 
Systems Requirements, state that the agency's property management system must create a skeletal property 
record or have another mechanism for capturing information on property in transit from the providing 
entity (e.g., vendor, donator, lender, grantor, etc.). 

Recommendations: We recommend that: 

1. FEMA: 

a) Perform a review of all internal use software implemented and currently in development, to 
include the following: 

i) Compile the supportiig documentation for all significant software projects less than three 
years old, including NextGen, PRISM, NDgrants, EMMIE, TAV, and Sunflower software, 
and account for the costs in accordance with SFFAS No. 10; 

ii) Develop and implement a formal tracking system forthe costs related to the development and 
implementation of internal use software, and use the information from the tracking system to 
either record actual costs of internal use software in the general ledger or validate estimated 
costs on a periodic basis (at least annually); 

iii) Ensure that costs of software in development are recorded in USSGL account 1 832, and the 
full cost of the software is transferred to USSGL account 1830 after final acceptance testing is 
completed; and 

iv) Reclassify costs of software in development that are currently recorded in USSGL account 
1830 to USSGL account 1832, and reverse the amortization expense recorded to date for the 
costs of software in development. 
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2. TSA: 

a) Complete the review currently in process over idle assets, other direct costs, and internal use 
software, and record the proper correcting adjustments in the general ledger; 

b) Develop and implement policies and procedures, including appropriate supervision and 
management oversight, to include accountability, to account for idle assets, other direct costs, and 
internal use software in accordance with SFFAS No. 6 and SFFAS No. 10 on an on-going basis; 
and 

c) Examine asset purchases and establish an appropriate dollar threshold for capitalization of 
purchases to ensure that asset purchases are presented as capital assets, and depreciated in 
compliance with GAAP (See Comment II-A, Financial Reporting). 

3. CBP: 

a) Establish policies and procedures to capitalize costs of construction- in-progress accurately and 
timely; and 

b) Improve its policies and procedires to ensure that assets are transferred from CIP to in-use 
property timely, when the assets are placed in service. 

II-E Actuarial and Other Liabilities (FEMA, FLETC, ICE, and S&T) 

Background: In FY 2007, Grants and Training (G&T) operations 
were transferred to FEMA as a result of the Post-Katrina Emergency 
Management Reform Act of 2006. FEMA is now responsible for 
accounting and financial reporting for all legacy G&T grants, 
including the grant accrual methodology. FEMA manages the NFIP 
and relies on insurance underwriters to provide an estimate for NFIP 
loss reserves for financial statement purposes. 

The Federal Law Enforcement Training Center (FLETC) maintains a 
number of firing ranges in at least four locations. FLETC also 
maintains facilities that contain lead-based paint and asbestos, where 
environmental liabilities may exist. The Immigration and Customs 
Enforcement (ICE) and Science and Technology (S&T) own land, 
buildings, and other structures and facilities, including firing ranges, 
that may be contaminated, or have underground storage tanks. S&T * G &T merged with FEMA in 2007 

also owns the Plum Island Animal Disease Center and Orient Point, 
and has leased laboratory space in Manhattan. 

In FY 2008, TSA corrected its material weakness in the unfunded employee leave process. 

Conditions: We noted the following internal control weaknesses related to other liabilities at FEMA, 
FLETC, ICE, and S&T: 

1. FEMA: 

• Had not fully implemented planned internal controls over its grant accrual as FEMA management 
made revisions to the accrual methodology through September 2008; 

• Did not work with its contractor actuary before the late October 2008 issuance of the final actuarial 
report for the flood insurance liability to ensure that the materiality standard used in the report was 
acceptable to management for financial statement reporting purposes; 

• Did not timely communicate to its auditors the details of significant changes to the methodology 
used in development of the flood insurance liability, particularly for hurricanes that occurred in 
August and September; and 
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• Does not have sufficient policies and procedures in place to fully comply with the Single Audit Act 
Amendments of 1996 and related OMB Circular No. A-133, Audits of States, Local Governments, 
and Nonprofit Organizations (see Exhibit IV-L, Single Audit Act Amendments of 1996). 

2. FLETC, ICE, and S&T: 

• Have not fully implemented policies and standard operating procedures that will allow 
management to fully assert that environmental liabilities have been recorded, and disclosed in the 
financial statements, in accordance with applicable accounting standards. We noted that: 

FLETC does not have a process in place whereby the Environmental and Safety Division 
identifies the existence of all environmental liabilities, and periodically reports an estimated 
clean up cost to the Finance Division. A detailed review and report was provided to the 
Finance Division in response to an auditor inquiry. In addition, FLETC did not consider all 
potential liabilities in its estimate, e.g., those that may relate to a time period before FLETC 
took possession of the Glynco facility from the Department of Defense; 

ICE has not fully implemented a process and internal controls to identify, estimate, and report 
the potential environmental and disposal liability, and management stated that it had not 
performed or updated its assessment during FY 2008; and 

Some of the remediation projects at S&T do not meet the criteria of an environmental liability 
while others do not include all costs to remediate the liability. We also noted that S&T has not 
performed a comprehensive survey to ensure the completeness of their environmental liability 
estimate. 

• Each of the components do not have sufficient policies, procedures, and processes in place to fully 
comply with FASAB Technical Release No. 2, Determining Probable and Reasonably Estimable 
for Environmental Liabilities in the Federal Government, which requires the exercise of due care 
during the environmental liability estimation process. This can include examining facilities 
transferred to DHS for possible environmental issues. 

Cause/Effect: FEMA accounting staff developed a new grant accrual methodology during FY 2008; 
however, they continued to make revisions throughout the year. FEMA does not have adequate procedures 
in place to monitor the decisions of its contractor actuary in the development of the flood insurance 
liability. As a result, the materiality standard used in the insurance loss reserve may be too high for 
management to accept for financial statement reporting purposes. 

FLETC, ICE, and S&T have historically not considered environmental liabilities to be a matter that could 
have a material effect on the financial statements, and exercising due care involves either the use of an 
outside specialist or in-house engineering capabilities. Coordination with persons outside of the accounting 
departments has hampered the process. In cases where the appropriate expertise has been identified, the 
nature and extent of instructions provided by the accounting division has not been adequate to clearly 
describe the purpose and outcome of the inquiry. 

Criteria: GAO Standards hold that transactions should be properly authorized, documented, and recorded 
accurately and timely. In addition, the Standards state that "Internal control should generally be designed 
to assure that ongoing monitoring occurs in the course of normal operations. It is performed continually and 
is ingrained in the agency's operations. It includes regular management and supervisory activities, 
comparisons, reconciliations, and other actions people take in performing their duties." 

OMB Circular No. A-133, Subpart D, provides for the responsibilities of federal agencies and pass-through 
entities for audits of states, local governments, and non-profit organizations. 

SFFAS No. 6, paragraph 85, defines environmental cleanup costs as those costs for removing, containing, 
and/or disposing of (1) hazardous waste from property, or (2) material and/or property that consists of 
hazardous waste at permanent or temporary closure or shutdown of associated PP&E. Paragraph 88 states 
that these cleanup costs meet the definition of liability provided in SFFAS No. 5. In addition, SFFAS No. 6, 
paragraph 96, states that cleanup cost estimates shall be revised periodically to account for material 
changes due to inflation or deflation and changes in regulations, plans and/or technology. New remediation 
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cost estimates should be provided if there is evidence that material changes have occurred; otherwise 
estimates may be revised through indexing. 

FASAB Technical Release No. 2 states that an agency is required to recognize a liability for environmental 
cleanup costs as a result of past transactions or events when a future outflow or other sacrifice of resources 
is probable and reasonably estimable. The Agency must exercise "due care" in developing its estimated 
environmental liability. Examples of due care are provided in FASAB Technical Release No. 2. 

Recommendations: We recommend that: 

1. FEMA: 

a) Fully implement the designed irternal controls over the quarterly grant accrual; 

b) Develop and implement policies and procedures for the Mitigation Division and the OCFO to 
consult with the actuary developing the flood insurance liability before year-end to review and 
agree with the materiality standard for insurance loss reserves to be used in the final year-end 
report. This agreement and related rationale should be documented; 

c) Develop and implement policies and proceduresfor the Mitigation Division to consult with the 
actuary developing the flood insurance liability before year-end to determine if any significant 
methodology changes will be made in the final year-end report. The details of any changes should 
be communicated timely to the auditor; and 

d) Implement policies and procedures to ensure full compliance with OMB Circular No. A-133. 

2. FLETC, ICE, and S&T: 

a) Finalize and implement standardoperating procedures requiring an annual review / update of 
environmental liabilities recorded in the general ledger, in accordance with applicable accounting 
standards, including procedures for: 

i) Identification andreporting of all material environmental liability estimates; 

ii) Communication, including writteninstructions, to serve as a memorandum of understanding 
between the financial / accounting offices and engineers or specialists who have expertise to 
identify possible pollutants and estimate the clean-up costs; and 

iii) Observance of due care in the process of maintaining the environmental liability estimate for 
financial statement purposes; 

b) Design and implement sufficient management level controls to ensure the completeness, accuracy, 
and proper disclosure of environmental liabilities; and 

c) Ensure that all estimates of environmental liabilities are supported by adequate documentation and 
reviewed by financial management for reasonableness. The supporting documentation should 
include assumptions made, the elements of the estimate calculation, and support for each element 
(e.g. specific type of contamination, square footage of the contaminated area or other applicable 
unit of measurement), the rate or cost per unit to remediate the specific type of contamination, and 
support for the determination of the rate or cost per unit for remediation. 

II-F Budgetary Accounting (FEMA and CBP) 

Background: Budgetary accounts are a category of general ledger 
accounts where transactions related to the receipt, obligation, and 
disbursement of appropriations and other authorities to obligate and 
spend agency resources are recorded. Combined, DHS has over 350 
separate Treasury account fund symbols (TAFS), each with separate 
budgetary accounts that must be maintained in accordance with OMB 
and Treasury guidance. The TAFS cover a broad spectrum of budget 
authority, including annual, multi-year, and no-year appropriations; and 
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several revolving, special, and trust funds. Accounting for budgetary transactions in a timely and accurate 
manner is essential to manage the funds of the Department and prevent overspending of allotted budgets. 

In FY 2008, FEMA implemented a mission action plan (MAP) to perform an extensive review of its open 
obligations related to mission assignments with other Federal agencies. As a result, FEMA was able to 
deobligate over $1 billion in funds prior to year-end, and make those funds available for disaster relief. 
FEMA improved its processes and internal controls over the mission assignment obligation and monitoring 
process in FY 2008; however, some control deficiencies remain. 

In FY 2008, TSA corrected the material weakness in its process of accounting for undelivered orders. 

Conditions: We noted the following internal control weaknesses related to budgetary accounting at FEMA 
and CBP: 

1. FEMA: 

• Did not consistently and adequately monitor the status of its obligations as part of its normal 
operations and ensure the timely deobligation of mission assignments. We noted the following: 

Although a review over UDOs was performed and documented by FEMA during the third and 
fourth quarters of FY 2008, appropriate follow-up action was either not performed or not 
documented for 3 of 57 applicable cases following the third quarter review, and for 6 of 54 
cases following the fourth quarter review; and 

In samples of 85 and 151 mission assignment obligations tested as of June 30 and September 
30, 2008, respectively, approximately 27 percent and 5 percent, respectively, were past their 
projected end dates by more than 90 days and were considered testwork exceptions. 

• Could not provide all supporting documentation for our sample of UDOs other than mission 
assignments and grant UDOs. We noted that responsible parties could not be readily identified, and 
the files were not accessible, or maintained in a form that clearly supported the balances reported 
in the financial statements. 

2. CBP is not enforcing its policies and procedures (Directive 1220-01 IB) to monitor and deobligate or 
close-out its obligations in a timely manner. We noted that CBP did not properly deobligate inactive 
undelivered orders for approximately 58% of a sample as of March 31, 2008. In response to an audit 
inquiry, CBP initiated a review of open obligations and subsequently deobligated approximately $84 
million in open obligations in FY 2008. 

Cause/Effect: Other Federal Agencies (OFAs) did not always provide FEMA with timely progress reports 
that included sufficient cost and billing data, or with a timely response to validation requests of open 
mission assignments. Sufficient documentary evidence was not obtained and/or documented timely for 
Mission Assignment Manager follow-up procedures with the OFAs. The errors in each sample resulted in 
known overstatements, and most likely overstatements in undelivered orders. 

CBP did not properly monitor all open obligations, and consequently government funds may be committed 
and not made available for CBP, or other Federal expenditures, for longer periods of time than necessary. 

Criteria: FEMA's SOP for Processing Mission Assignment and Interagency Payments for Fund Code 06, 
updated April 2007, establishes the process for mission assignment closeouts. If no activity has been 
recorded within the last 90 days, the Disaster Finance Branch initiates the closeout process with the region 
or headquarters. 

The FEMA Form 90-129, Mission Assignment Agreement, states that the OFA is responsible for submitting 
a Mission Assignment Monthly Progress Report to FEMA to include cost data when mission assignments 
take more than 60 days to complete, including billing. 

According to GAO Standards, "transactions should be promptly recorded to maintain their relevance and 
value to management in controlling operations and making decisions. This applies to the entire process or 
life cycle of a transaction or event from the initiation and authorization through its final classification in 
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summary records." Further, "control activities help to ensure that all transactions are completely and 
accurately recorded." 

CBP Directive 1220-01 IB states that financial plan holders will review Systems, Applications, and 
Products (SAP) reports each quarter to reconcile their obligations to supporting records. 

Recommendations: We recommend that: 

1. FEMA: 

a) Consistently monitor the status of its obligatbns as part of the normal business process. Ensure 
that all mission assignments are reviewed and deobligated timely. In addition: 

i) Finalize the development and implementatbn of updated mission assignment policies and 
procedures; 

ii) Enforce the requirement that all OFAs subrrit not only a progress report when the mission 
assignment takes more than 60 days to complete, but a progress report every additional 30 
days that the project remains either programmatically or financially incomplete; and 

iii) Ensure that appropriate personnel consistently perform and follow-up on the results of the 
quarterly obligation reviews to determine whether the remaining balance on a UDO is valid or 
should be deobligated. 

b) Update and improve procedures for documentation of supporting UDO information, including 
points of contact for information, so that supporting information is readily available for 
management review and audit purposes. 

2. CBP: 

a) Continue to enforce CBP Drective 1220-01 IB to ensure that obligations are reviewed and 
deobligated timely. 
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III-G Entity Level Controls (USCG, FEMA, and TSA) 

Background: In FY 2003 - FY 2007, we reported conditions that led to a Departmental level material 
weakness in entity level controls. The Department has undertaken and completed several steps designed to 
strengthen its entity and process level internal controls, and thereby improve the reliability of financial 
reporting. These steps are documented in the Internal Control over Financial Reporting Playbook released 
in March 2008, and in component level Mission Action Plans (MAPs) finalized early in FY 2008. The 
Department continued its OMB Circular No. A-123 program with the help of an external contractor. 

Although weaknesses in entity level controls remain at FEMA and USCG and new entity level findings are 
reported at TSA, we now believe that steps taken by the Department and the Office of the Chief Financial 
Officer in FY 2007 and 2008 have strengthened the internal control framework and substantially mitigated 
component weaknesses, supporting a downgrade of our entity level control findings to a significant 
deficiency. The comments below should be read in conjunction with Comments I-B and II-B, Information 
Technology General and Application Controls, which describe entity level control weaknesses in 
Department and Component IT systems. 

The Coast Guard updated its MAPs and Financial Strategy for Transformation and Audit Remediation 
(FSTAR) in FY 2008. The FSTAR is a comprehensive plan to identify and correct the root causes of 
control deficiencies. However, most of the actions outlined in FSTAR are scheduled for after FY 2008, 
and consequently, we repeat most of our entity level control findings identified at Coast Guard in previous 
years. 

FEMA committed to, and substantially achieved, their MAPs to eliminate account balance qualifications 
identified in the Independent Auditors' Report (IAR) in FY 2007. FEMA also made modest progress 
toward correction of its entity level control deficiencies in FY 2008. While progress has been made, some 
entity level control deficiencies identified at FEMA in previous years continued during FY 2008, and are 
repeated below. 

In FY 2008, TSA successfully addressed some control deficiencies that contributed to IAR qualifications in 
previous years. However, during our audit, we noted new deficiencies that are indicative of continued and 
more significant weaknesses in entity level controls at TSA. 

Conditions: We noted the following internal control weaknesses related to entity level controls at USCG, 
FEMA and TSA: 

1. USCG: 

• Has not fully implemented a financial management structure where: 

GAAP is applied and financial statement balances are appropriately supported, interfering with 
the Coast Guard's ability to assert to the completeness, existence (validity), accuracy, 
valuation, or presentation of their financial data, with the exception of investments and legal 
liabilities; 

Financial management oversight functions complete with an organizational chart, job 
descriptions, roles and responsibilities, and skill sets required, are well defined. Appropriate 
and clear internal reporting relationships have been established resulting in effective financial 
guidance and oversight over internal and external distribution of financial information, 
particularly related to the Federal Managers' Financial Integrity Act of 1982 (FMFIA); and 

The financial management infrastructure is appropriately staffed with experienced financial 
managers and staff to expeditiously identify and address control weaknesses, develop and 
implement effective policies, procedures, and internal controls to ensure that data supporting 
financial statement assertions are complete and accurate. 

• Has not fully implemented an on-going entity-wide risk assessment. 

• Does not have a process to monitor and control timely completion of the MAP or FSTAR 
milestones, and update the status of completion of such milestones. 
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2. FEMA: 

• Has not provided the CFO with clearly defined and complete authority for all financial accounting 
policy, processes, and control functions throughout the agency. 

• Has not effectively communicated the importance of strong financial management and internal 
controls throughout the agency, resulting in several offices not fully cooperating with the OCFO 
related to accounting and auditing matters. 

• Has not developed sufficiently effective methods of communication to ensure that significant 
financial-related events outside of the OCFO (e.g., changes in third party financial services 
providers and development of new software projects) are timely communicated to the OCFO to 
ensure proper and timely accounting and reporting consideration. 

• Has not completed the placement of sufficient financial and accounting resources in its regional 
offices, which contributes to certain issues in mission assignment accounting. Mission assignment 
obligations are not closed out timely, and in a sample of 168 mission assignment payments 
selected for testwork as of March 31, 2008, we noted that approximately 16% of the payments 
were not properly reviewed and approved in accordance with FEMA policy. 

• Has not documented and/or updated formal policies and procedures (including desk manuals) for 
many of the roles, responsibilities, processes, and functions performed within FEMA. For 
example, in FY 2008, we noted that improvements are needed in the formal documentation of 
policies and procedures related to Anti-deficiency Act compliance, policies for monitoring and 
responding to OMB Circular No. A-133 reports, Office of Inspector General (OIG) reports, and 
GAO report findings and recommendations; and the quarterly process for estimating accruals 
(including accrual validation). 

• Has identified the Internal Controls Branch's sole function as the implementation of policies and 
procedures to close findings issued as a result of multiple external audits. Its mission does not 
include internal control monitoring to assess the overall quality and performance of operations on 
a continual basis. 

• Has not committed sufficient resources to ensure that personnel attend required ethics training. 

3. TSA: 

• Lacks a sufficient number of skilled accounting staff in the proper positions in the Financial 
Statements and Report Branch to ensure that accounting policies, procedures, and internal controls 
over financial reporting are appropriate, and continuously effective; and to ensure that accounting 
principles are correctly applied in a timely manner. 

• The organizational structure in finance and accounting, including an understanding and assignment 
of roles and responsibilities for financial oversight, supervision, and review may not be optimally 
aligned with its resources. 

• Did not provide contractors retained to prepare materials for the financial statement audit with 
adequate management direction, supervision, and review, resulting in substantial rework, and 
delays in completion of the audit. 

• Has weaknesses in communication, instruction, training, supervision and/or coordination with 
personnel outside of the office of financial management, that contribute to control weaknesses in 
processes dependent on operations. For example, idle assets maintained in an off-site warehouse by 
operational personnel may not be accounted for properly, due to a lack of understanding of, or 
willingness to follow, financial policies. 

• Lacks sufficient oversight of financial reporting functions and consequently errors or 
misapplication of GAAP may go undetected, in some cases for several years, or until questioned 
by an auditor. 
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These conditions lead directly to a number of audit findings in FY 2007 and in FY 2008 that when 
considered in aggregate, point to weaknesses in entity level controls. FY 2008 new findings reported 
elsewhere in our report include: 

Two new material weaknesses in internal control, Comment II-A, Financial Reporting, and 
Comment II-D, Capital Assets and Supplies; 

Significant restatements to prior year financial statements to correct multiple errors in capital 
assets balances described in Comment II-D, Capital Assets and Supplies, and to correct a 
misapplication of GAAP, described in Comment II-A, Financial Reporting; and 

Inability to complete its investigation of the errors in capital assets, referred to in Comment II- 
D, Capital Assets and Supplies, and record correcting adjustments prior to the completion of 
the DHS FY 2008 AFR, resulting in a qualification in the Independent Auditors' Report. 

Cause/Effect: The Coast Guard's management has acknowledged that longstanding procedural, control 
personnel, IT, and cultural issues have impeded progress toward installing an effective financial 
management structure. The conditions described above continue to prevent the Coast Guard and DHS from 
timely preparation of accurate financial information and reports, and have also contributed to the conditions 
reported in Exhibit I-A, Financial Reporting, as well as other control deficiencies described in Exhibit I. 

FEMA devoted substantial resources to correcting financial statement balances that could not be audited in 
FY 2007. Consequently, FEMA devoted comparatively less attention to improving the underlying 
accounting processes and correcting control deficiencies in FY 2008. 

TSA, similar to FEMA, devoted resources to correcting financial statement balances that could not be 
audited in FY 2007. Management attempted to supplement its staff with contractors; however, the nature 
and extent of issues in capital asset balances, including the need to restate prior year reported balances, 
overwhelmed TSA's capacity to properly staff and supervise the project, and to fully correct control 
deficiencies in FY 2008. Also, TSA has not updated its entity level control self assessment (necessary for 
OMB Circular No. A-123 purposes) since 2006, which may have identified some or all of these conditions 
before our audit. 

In their FY 2008 representations made to the Secretary pursuant to the DHS Financial Accountability Act, 
USCG and FEMA, each stated that they had not yet completed enough testing to provide reasonable 
assurance that internal controls were achieving their intended objectives. 

Criteria: OMB Circular No. A- 1 23 , Management 's Responsibility for Internal Control, as revised, states 
that internal controls are the organization, policies, and procedures that agencies use to help program and 
financial managers achieve results and safeguard the integrity of their programs. 

FMFIA requires that agencies establish internal controls according to standards prescribed by the 
Comptroller General. These standards are established in the GAO Standards for Internal Control in the 
Federal Government (Standards). The GAO defines internal control as an integral component of an 
organization's management that provides reasonable assurance that the following objectives are achieved: 
effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable 
laws and regulations. 

The GAO Standards identify the control environment as one of the five key elements of control, which 
emphasizes the importance of conscientiousness in management's operating philosophy and commitment to 
internal control. These standards cover controls such as human capital practices, supervisory reviews, 
policies, procedures, monitoring, and segregation of duties. 

Recommendations: We recommend that: 

1. USCG: 

a) Review and enhance the ertity level controls MAP to include steps to fully assess entity level 
controls, develop effective corrective actions, and implement improved financial processes and 
systems; 
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b) Evaluate how recommendations from recent internal organizational and process assessments 
impact the conditions cited above, as well as the other conditions identified in Exhibit I-A, 
Financial Reporting, such as the number and type of personnel and resources needed, along with 
the requisite skills and abilities necessary, to provide effective guidance and oversight to program 
offices that are significant to financial management and reporting, and make the recommendations 
to senior management, as appropriate; and 

c) Ensure that its FSTAR/MAP actionsas designed and performed are: 

i) Effective in addressingall of the material weaknesses described in Exhibit I; and 

ii) Coordinated and prioritized with input from the Department's CFO to address matters that are 
preventing the Department from preparing reliable financial statements, and executing its 
fiscal management responsibilities. 

2. FEMA: 

a) Provide the CFO with clear authority to develop andimplement accounting and financial reporting 
policies, procedures, and internal controls throughout the Agency. Program offices should be 
required to adhere to policies; 

b) Consistently emphasize the imporance of strong financial management and internal controls 
throughout the agency; 

c) Develop communication protocolsagency-wide to ensure that significant financial-related events 
outside of the OCFO are timely communicated to the OCFO for proper and timely accounting and 
reporting consideration; 

d) Fully implement plans to place comptrollers in each regional office, to address weaknesses related 
to mission assignment accounting and implementation of financial directives described above; 

e) Ensure that formal policies and procedures (hcluding desk manuals) are documented and current 
for all significant roles, responsibilities, processes, and functions performed within FEMA; 

f) Expand the mission andstaffing of the Internal Controls Branch to perform internal control 
monitoring to assess the overall quality and performance of operations on a continual basis; and 

g) Develop procedures and dedicate resources to pcvide, track compliance with, and monitor the 
annual and new hire ethics training requirements. 

3. TSA: 

a) Update the OMB Circular A- 123 review of entity level controls and complete the GAO self 
assessment tool for entity level controls. Evaluate the deficiencies identified by the process and 
take appropriate corrective actions, including the development of a MAP for OCFO approval in 
FY 2009; 

b) Conduct a human resource needs assessment and financial organizational assessment to identify 
gaps in skill-sets, hire or re-align personnel to fill the gaps, and assign personnel with 
responsibilities that best match their expertise; 

c) Consider updating the financial organizational structure based on the human resources needs 
assessment; 

d) Strengthen the monitoring and supervision process over financial reporting, and use of contractors; 

e) Consistently emphasize the importance of strong financial management and internal controls 
throughout the agency; 

f) Improve communications, training, instruction and oversight of non-accounting personnel that are 
essential to the accounting process, and fair and timely presentation of financial statement 
balances; and 
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g) Consider additional training to ensure that all general ledger and financial management personnel 
are kept current of GAAP requirements. 

III-H Custodial Revenue and Drawback 

Background: CBP collects approximately $3 1 .4 billion in annual import duties, taxes, and fees on 
merchandise arriving in the United States from foreign countries (identified below as the Entry Process). 
Receipts of import duties and related refunds are presented in the statement of custodial activity in the DHS 
financial statements. 

Drawback is a remittance, in whole or in part, of duties, taxes, or fees previously paid by an importer. 
Drawback typically occurs when the imported goods on which duties, taxes, or fees have been previously 
paid, are subsequently exported from the United States or destroyed prior to entering the commerce of the 
United States. 

Our findings on the Entry Process include In-bond, Bonded Warehouse, Foreign Trade Zones, and the 
Compliance Measurement Program (CM). In-bond entries occur when merchandise is transported through 
one port; however, the merchandise does not officially enter U.S. commerce until it reaches the intended 
port of destination. Bonded Warehouses (BWH) are facilities, under the joint supervision of CBP and the 
Bonded Warehouse Proprietor, used to store merchandise that has not made entry into the United States 
commerce. Foreign Trade Zones (FTZ) are secured areas under CBP supervision that are used to 
manufacture goods that are considered outside of the United States commerce for duty collection. 

CM is the primary method by which CBP measures risk in the areas of cargo security, trade compliance, 
and revenue collection. CBP utilizes the CM program to measure the effectiveness of its control 
mechanisms deployed, and its execution in collecting revenues rightfully due to the U.S. Department of the 
Treasury. 

Conditions: We noted the following internal control weaknesses related to custodial activities at CBP: 

Related to drawback: 

• The Automated Commercial System (ACS) lacks automated controls to detect and prevent 
excessive drawback claims and overpayments, necessitating inefficient manual processes that do 
not effectively compensate for these automated controls. 

• ACS lacks controls to prevent the overpayment of drawback claims at the summary line level. 

• Drawback review policies do not require drawback specialists to review all, or a statistically valid 
sample, of prior drawback claims against the underlying consumption entries (UCE) to determine 
whether, in the aggregate, an excessive amount was claimed. 

• Drawback review policy and procedures allow drawback specialists, with supervisory approval, to 
judgmentally decrease the number of ACS selected UCEs randomly selected for review, thus 
decreasing the review's effectiveness. Further, CBP implemented a new sampling methodology 
for selecting UCEs; however, this methodology is not considered to be statistically valid. 

• The period for document retention related to a drawback claim is only three years from the date of 
payment. However, there are several situations that could extend the life of the drawback claim 
well beyond three years. 

Related to the Entry Process: 

• CBP is unable to determine the status of the in-bond shipments and lacks policies and procedures 
that require monitoring the results of in-bond audits and require the review of overdue immediate 
transportation in-bonds or air in-bonds. 

• CBP does not perform an analysis to determine the potential loss of revenue through the in-bond 
process as a result of goods entering the commerce of the U.S. without formal entry. 
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• CM oversight guidelines do not provide complete coverage over the CM program. The ports are 
not following a consistent set of procedures when performing CM reviews, and there are 
weaknesses in the oversight and monitoring of the CM program. 

• Current BWH and FTZ Compliance Review Manuals lack specific guidance for ports to determine 
the appropriate risk assessment of a BWH or FTZ. In addition, HQ review of the BWHs and FTZs 
assessment results can take up to six months to compile and analyze. Furthermore, CBP does not 
maintain a centrally managed list of all BWHs and FTZs. 

Cause/Effect: IT system functionality and outdated IT systems contribute to the weaknesses identified 
above. For example, CBP is unable to determine the status of the in-bond shipments with the information 
available within ACS, and CBP does not have the ability to run an oversight report to determine if ports 
have completed all required audits. For drawback, much of the process is manual until planned IT system 
functionality improvements are made, placing an added burden on limited resources. CBP's IT systems do 
not maintain one centrally managed list of all BWHs and FTZs. 

The inability to effectively monitor the in-bond process and verify the arrival of in-bond merchandise at the 
port level can lead to a potential loss in revenue. This potential loss in revenue is due to uncollected duties 
and fees on in-bond merchandise that has physically entered U.S. commerce without formal entry. 

The weaknesses in the CM program could result in CBP incorrectly evaluating the effectiveness of its 
control environment over the collections of duties, taxes, and fees. 

It is possible that BWH/FTZ operators and users may be able to operate BWHs and FTZs that contain 
merchandise that CBP has no or limited knowledge about. 

Criteria: Under FMFIA, management must implement cost-effective controls to safeguard assets and 
ensure reliable financial reporting. OMB's Revised Implementation Guidance forFFMIA, states that 
financial systems should "routinely provide reliable financial information consistently, accurately, and 
reported uniformly" to support management of current operations. 

The Financial Systems Integration Office (FSIO) publications and OMB Circular No. A-127 outline the 
requirements for Federal financial systems. The Office of Federal Financial Management's Core Financial 
System Requirements, dated January 2006, states that the core financial system must maintain detailed 
information sufficient to provide audit trails and to support reconciliation and research activities. OMB 
Circular No. A-127, Financial Management Systems, requires that the design of financial systems should 
eliminate unnecessary duplication of a transaction entry. Wherever appropriate, data needed by the systems 
to support financial functions should be entered only once, and other parts of the system should be updated 
through electronic means consistent with the timing requirements of normal business/transaction cycles. 

The Improper Payments Information Act of 2002 requires agencies to annually review programs and 
activities and identify any that may be susceptible to significant improper payment. Whenever an agency 
estimates that improper payments may exceed $10 million, it must also provide a report on what actions are 
being taken to reduce such payments. In addition to the regulatory requirements stated above, CBP's 
Drawback Handbook, dated July 2004, states that management reviews are necessary to maintain a uniform 
national policy of supervisory review. 

Recommendations: We recommend that CBP: 

1 . Related to drawback: 

a) Implement effective internal controls over drawbackclaims as part of any new system initiatives, 
including the ability to compare, verify, and track essential information on drawback claims to the 
related underlying consumption entries and export documentation for which the drawback claim is 
based, and identify duplicate or excessive drawback claims; 

b) Implement automated controls within ACSand the Automated Commercial Environment (ACE) 
to prevent overpayment of a drawback claim; 

c) While ACE is in development, collaborate with ACE de/elopers/engineers to ensure that the new 
system eliminates the need for statistical sampling of UCE and prior related drawback claims as 
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drawback claims. In addition, until ACE is implemented, we recommend that CBP explore other 
statistical approaches for selecting UCEs and prior related drawback claims under the current ACS 
environment; and 

d) Continue to work with the U.S. Congress to laigthen the required document retention period for 
all supporting documentation so that it corresponds with the drawback claim life cycle. 

2. Related to the Entry Process: 

a) Implement a standard procedure to periodicallycompile the results of all in-bond audits during the 
year and develop an analysis function in order to evaluate the importers' compliance with 
regulations; 

b) Develop policies and procedures to monitor theresults of in-bond audits at the port level and to 
require reviews of overdue immediate transportation in-bonds and air in-bonds; 

c) Analyze the in-bond program annually to determine thepotential loss of revenue relating to in- 
bonds; 

d) Provide additional detail in the CM guidelines, specifying the use of the monitoring report, data 
queries, and any other tools to provide complete coverage over the CM program. The guidance 
should also readdress the timing requirements for the monitoring reports or data queries and 
documentation retention; 

e) Conduct periodic training to ensure that allport personnel have comprehensive knowledge of the 
CM program requirements; and 

f) Develop standard operating procedures for conducting risk assessments for all BWHs and FTZs. 
In addition, develop standardized procedures for HQ or field office oversight to ensure compliance 
review schedules are being reviewed timely and provide effective training to ensure that all ports 
are aware of updates and changes to the program and can consistently execute all requirements 
presented in the compliance review manuals and handbooks. 

III-I Deferred Revenue (USCIS) 

Background: Throughout the year, the United States Citizenship and Immigration Service (USCIS) 
receives millions of applications and petitions for various immigration and naturalization benefits. 
Applications are received and processed at four service centers, the National Benefits Center (NBC), over 
30 district offices, and numerous satellite offices. An application fee is associated with most applications 
received. USCIS recognizes these fees as revenue upon adjudication of the application. The fees 
associated with applications received but still pending adjudication at the end of a period are considered 
deferred revenue. 

Conditions: We noted the following internal control weaknesses related to deferred revenue at USCIS: 

• Deficiencies in policies and procedures over its deferred revenue quality assurance (QA) process. 
We noted that USCIS: 

Did not initially use a statistician with experience in developing the type of methodology 
needed by USCIS for the selection of QA samples; 

Does not perform deferred revenue ' floor-to-list' QA procedures over CLAIMS 4 
naturalization applications located at Service Centers; 

Does not have detailed QA instructions that ensure consistent practices (non-statistical 
selection, random selection, etc.) for selecting QA samples in the Service Centers and District 
Offices; 

Does not have policies describing and requiring follow-up actions to be carried out when 
results of the QA fall outside the acceptable range specified in the USCIS sampling 
methodology; and 
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Personnel performing the deferred revenue QA procedures have a general lack of 
understanding and/or have differing perceptions as to what constitutes a 'pending' case, and 
what the QA procedures are meant to validate for financial reporting purposes. 

• Does not have policies and procedures that require correction of the errors once discovered. 

Further, once the errors are identified, there is little formal follow-up to determine the root cause of 
the error. 

Cause/Effect: The deferred revenue QA process and development of management's estimate of deferred 
revenue is a time consuming process and requires a large use of resources both at the field sites and at 
USCIS headquarters. Further, enhancements to the manual controls over the application processing process 
will generally not be made until new application tracking computer systems are implemented. However, 
error rates indicative of a control deficiency have been identified through the USCIS QA process and exist 
on USCIS' three largest application tracking systems: CLAIMS 3, CLAIMS 4, and RNACS. These 
weaknesses may result in a misstatement of deferred revenue, and systemic problems may not be identified 
and resolved. In addition, USCIS uses multiple, non-integrated systems for processing immigration and 
naturalization applications. 

Criteria: OMB Circular No. A- 123 states that internal controls are the organization, policies, and 
procedures that agencies use to help program and financial managers achieve results and safeguard the 
integrity of their programs. 

According to the USCIS Quality Management Branch (QMB)'s Quality Assurance procedures guidance 
and client discussion, an analysis is required to be performed on all results that Headquarters receives from 
the District Offices and Service Centers. The analysis further verifies that the information that is being 
reported is complete and accurate. If any discrepancies are noted, Headquarters is to follow up with the 
issue and make sure the issue has been resolved. 

Recommendations: We recommend that: 

1. USCIS: 

a) Revise the design of the deferred revenue QAprocess so that Service Centers perform 'Floor-to- 
List' testing of CLAIMS 4 naturalization applications in addition to CLAIMS 3 immigration 
applications, to ensure the completeness of deferred revenue; 

b) Institute specific, detailed sampling instructions andQA training to ensure uniformity in the 
manner in which 'Floor-to-List' applications are selected and the validity of results are analyzed; 

c) Revise the design of the deferred revenue QA process at QMB so that a prescribed set of steps are 
carried out whenever quarterly QA results are outside the acceptable deviation rate; 

d) Enhance the design of the deferred revenue QAprocess to include a risk-based over-sampling of 
previous quarters' results, either by location or application type, to help identify and resolve the 
root cause of the errors; 

e) Train the individuals performing the variousaspects of the deferred revenue QA process on the 
objectives of the QA as well as definitions of 'pending' applications for deferred revenue 
purposes; 

f) Correct the errors in application status when identified through the deferred revenue QA process to 
improve the integrity of system data relied on for financial reporting purposes, and analyze each 
error identified to determine whether there are any common causes of the errors that occur; 

g) Track all pending applications within one system or in a series of systems that are integrated; and 

h) Evaluate the overall data qiality within the various systems to plan for pre-conversion validation 
of data. 



III. 8 



Independent Auditors' Report 

Exhibit IV - Compliance and Other Matters - All DHS Components 



(Exhibits I and II include Comments A - F, and Exhibit III presents Comments G - 1) 

All of the compliance and other matters described below are repeat conditions from FY 2007. 

IV-J Federal Managers' Financial Integrity Act of 1982 (FMFIA) 

Office of Management and Budget (OMB) Circular No. A-123, Management 's Responsibility for Internal 
Control, requires agencies and Federal managers to: (1) develop and implement internal controls; (2) assess the 
adequacy of internal controls; (3) separately assess and document internal control over financial reporting; (4) 
identify needed improvements; (5) take corresponding corrective action; and (6) report annually on internal 
controls. During FY 2008 and 2007, the Department of Homeland Security (DHS or the Department) 
developed an annual Internal Controls over Financial Reporting Play book to implement corrective actions and 
support management assurances by performing tests of design and operating effectiveness on entity level 
controls and other financial accounting and reporting processes. DHS' implementation of OMB Circular No. 
A-123 facilitates compliance with FMFIA. The DHS Financial Accountability Act of 2004 requires DHS to 
submit an annual audit opinion of internal control over financial reporting. 

While we noted the Department overall has taken positive steps toward full compliance with FMFIA, OMB 
Circular No. A-123, and the DHS Financial Accountability Act, the Coast Guard has not fully established 
effective systems, processes, policies, and procedures to develop and implement internal accounting and 
administrative controls, and conformance of accounting systems. In addition, the Transportation Security 
Administration (TSA), National Preparedness Directorate (NPPD), and the Federal Emergency Management 
Agency (FEMA)'s control assessment processes require improvement to ensure full compliance with FMFIA. 

Recommendation: We recommend that the Coast Guard, TSA, NPPD, and FEMA fully implement the FMFIA 
process, as prescribed by the OCFO, to ensure full compliance with FMFIA and its OMB-approved plan for 
Circular No. A-123 implementation in FY 2009. 

IV-K Federal Financial Management Improvement Act of 1996 (FFMIA) 

FFMIA Section 803(a) requires that agency Federal financial management systems comply with (1) applicable 
Federal accounting standards; (2) Federal financial management system requirements; and (3) the United States 
Government Standard General Ledger (USSGL) at the transaction level. FFMIA emphasizes the need for 
agencies to have systems that can generate timely, reliable, and useful information with which to make 
informed decisions to ensure ongoing accountability. OMB Circular No. A-123 requires agencies and Federal 
managers to: (1) develop and implement internal controls; (2) assess the adequacy of internal controls; (3) 
separately assess and document internal control over financial reporting; (4) identify needed improvements; (5) 
take corresponding corrective action; and (6) report annually on internal controls. During FY 2008, DHS 
OCFO continued with its implementation of OMB Circular No. A-123 by performing tests of design and 
operating effectiveness on entity level controls and other financial accounting and reporting processes as 
planned. The DHS Financial Accountability Act of 2004 requires DHS to submit an annual audit opinion of 
internal control over financial reporting. 

While we noted the Department overall has taken positive steps toward full compliance with FFMIA, the Coast 
Guard, CBP, FEMA, FLETC, and TSA did not fully comply with at least one of the requirements of FFMIA. 
The reasons for noncompliance are reported in Exhibits I, II, and III. The Secretary of DHS also has stated in 
the Secretary's Assurance Statements dated November 13, 2008, as listed in Management's Discussion and 
Analysis (MD&A) of the Department's 2008 Annual Financial Report (AFR), that the Department cannot 
provide assurance that its financial management systems are in substantial compliance with the requirements of 
FFMIA. The Department's remedial actions and related timeframes are also presented in that section of the 
AFR. 

An element within FFMIA Federal system requirements is ensuring security over financial management 
information. This element is addressed further in the Federal Information Security Management Act of 
2002 (FISMA), which was enacted as part of the E-Government Act of 2002. FISMA requires the head of 
each agency to be responsible for (1) providing information security protections commensurate with the 
risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, 
modification, or destruction of (i) information collected or maintained and (ii) information systems used or 
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operated; (2) complying with the requirements of the Act and related policies, procedures, standards, and 
guidelines, including (i) information security standards under the United States Code, Title 40, Section 
11331 and (ii) information security standards and guidelines for national security systems; and (3) ensuring 
that information security management processes are integrated with agency strategic and operational 
planning processes. 

We noted weaknesses in financial systems security, reported by us in Exhibits I-B and II-B, Information 
Technology General and Application Controls, which impact the Department's ability to fully comply with 
FISMA. 

Recommendation: We recommend that DHS improve its financial management systems to ensure 
compliance with the FFMIA, and implement the recommendations provided in Exhibits I, II, and III in FY 
2009. 

IV-L Single Audit Act Amendments of 1996, and Laws and Regulations Supporting OMB Circular No. 
A-50, Audit Follow-up, as revised 

During 2007, DHS' Grants and Training (G&T) Directorate merged its grants making function with FEMA. 
FEMA is now the only DHS component that has a significant grant making operation. OMB Circular No. A- 
133, Audits of States, Local Governments, and Non-Profit Organizations, requires agencies awarding grants to 
ensure they receive grantee reports timely and to follow-up on Single Audit findings to ensure that grantees take 
appropriate and timely action. Although FEMA has adopted procedures to monitor grantees and their audit 
findings, FEMA did not fully comply with provisions in OMB Circular No. A- 133 in FY 2008. We noted that 
FEMA does not always obtain and review grantee Single Audit reports in a timely manner, or follow up on 
questioned costs and other matters identified in these reports. Because Single Audits typically are performed by 
other entities outside of DHS, procedures related to these reports are not always entirely within the control of 
DHS and its components. 

OMB Circular No. A-50, as revised, provides guidance for use by executive agencies when considering reports 
issued by Inspectors General, other executive branch audit organizations, the GAO, and non-Federal auditors, 
where follow up is necessary. Corrective action taken by management on findings and recommendations is 
essential to improve the effectiveness and efficiency of government operations, and to support the objectives of 
sound fiscal management. The DHS OCFO has developed an extensive corrective action plan that requires each 
component to develop and execute corrective actions to address all material weaknesses in internal controls. 
This strategy is documented in the DHS Internal Controls over Financial Reporting (ICOFR) "Playbook." 
Progress is monitored by the CFO, and regularly reported to OMB and other outside stakeholders, such as 
Congressional Committees. We noted that each component has complied with the OCFO directive to develop 
corrective actions, and they have been reviewed and approved by the CFO. All DHS components have made 
progress toward remediation of material internal control weaknesses; however, as shown in Exhibits I, II and 
III, deficiencies identified in prior years have not been fully corrected in FY 2008. 

Recommendations: We recommend that: 

Regarding Single Audit Act Amendments of 1996: 

1 . FEMA develop procedures to ensure compliance with its policy to obtain and review grantee Single Audit 
reports in a timely manner, and follow-up on questioned costs and other matters identified in these reports. 
We also recommend that FEMA perform the following in FY 2009: 

a) Further develop and implement a tracking system to identify each grantee for which an OMB Circular 
No. A- 133 Single Audit is required, and the date the audit report is due; 

b) Use the tracking system to ensure audit and performance reports are received timely, and follow-up 
when reports are overdue; and 

c) Perform reviews of grantee audit reports, issue-related management decisions, and ensure that the 
grantees take appropriate corrective action, on a timely basis. 
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Regarding OMB Circular No. A-50, Audit Follow-up, as revised 

DHS continue to follow and complete the actions defined in its ICOFR "Playbook," to ensure that audit 
recommendations are resolved timely and corrective action plans addressing all DHS audit findings are 
developed and implemented together with appropriate supervisory review in FY 2009. 

IV-M Improper Payments Information Act of 2002 

DHS is required to comply with the Improper Payments Information Act of 2002 (the Act or IPIA). The Act 
requires agencies to review all programs and activities they administer annually and identify those that may be 
susceptible to significant erroneous payments. For all programs and activities where the risk of erroneous 
payments is significant, agencies must estimate the annual amounts of erroneous payments, and when the 
estimate exceeds $10 million, report the estimates to the President and Congress with a progress report on 
actions to reduce them. The agency must report a statistically valid error projection for susceptible programs in 
its annual Performance and Accountability Report (PAR). To facilitate the implementation of the Act, OMB 
issued guidance in Memorandum M-03 - 1 3 , Implementation Guide for the Improper Payments Information Act 
of 2002, and in Appendix C, Requirements for Effective Measurement and Remediation of Improper Payments, 
to OMB Circular No. A-123, which provides a recommended process to meet the disclosure requirements. 

In FY 2008, we noted the Department has taken positive steps toward full compliance with IPIA and Appendix 
C of OMB Circular No. A-123, including strengthening guidance, training, and oversight; identifying programs 
subject to IPIA; conducting a comprehensive process to assess the risk of programs susceptible to improper 
payments; and performing sample testing of programs. However, FEMA did not fully comply with the Act in 
FY 2008. We noted that FEMA: 

• Excluded some programs from the scope of the IPIA risk assessment and test work. Specifically, 
FEMA excluded Mission Assignments and Technology Transfer Program from the scope of the 
IPIA test work; 

• Excluded five programs identified as high risk of significant improper payments during the 
assessment process from testing; and 

• Did not develop Mission Action Plans (MAPs) for five programs identified as "high risk" during 
the risk assessment process if no statistical sampling was performed to validate those risks during 
FY2008. FEMA completed a test pilot for these programs. 

Recommendation: We recommend that FEMA fully implement the IPIA process, including performing 
risk assessments for all the programs it administers. We also recommend that FEMA complete its efforts to 
ensure that all programs identified as susceptible to significant improper payments in its annual risk 
assessment are subject to sampling, testing and analysis to determine the required statistically valid error 
rate to be reported in the DHS Annual Financial Report. 

IV-N Chief Financial Officers Act of 1990 

The DHS Financial Accountability Act of 2004 made DHS subject to the Chief Financial Officers Act of 1990, 
as amended, which requires DHS to submit to the Congress and OMB audited financial statements annually. 
DHS' Office of the Inspector General (OIG) has engaged an independent auditor to audit the September 30, 
2008 balance sheet and related statement of custodial activity. Other financial statements, including the 
statements of net cost, net position, and budgetary resources, are not currently auditable. DHS must be able to 
represent that its balance sheet is fairly stated, and obtain at least a qualified opinion before it is practical to 
extend the audit to other financial statements. 

Recommendation: We recommend that DHS and its components continue to implement the Mission Action 
Plans described in DHS' ICOFR "Playbook" (see Comment IV - J, Federal Managers ' Financial Integrity Act 
of 1982, above) to remediate the FY 2008 material weaknesses and significant deficiencies, and improve its 
policies, procedures, and processes, as necessary, to allow management to assert that all financial statements are 
fairly stated in compliance with accounting principles generally accepted in the United States, and are ready for 
an independent audit. 
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IV-O Government Performance and Results Act of 1993 (GPRA) 

The Government Performance and Results Act requires each agency to develop a strategic plan that includes a 
description of how goals and objectives are to be achieved, including a description of the operational processes, 
skills and technology, and the human capital and other resources required to meet those goals and objectives. 
The Department's annual performance plan and performance reports that measure progress toward achieving 
strategic goals and related performance metrics are also integral to compliance with GPRA. We noted that 
DHS' Strategic Plan expired on October 1, 2006 and the Department had not provided an updated Strategic Plan 
prior to September 2008. Consequently, the Department was not in compliance with the requirements of GPRA 
during FY 2008. 

Recommendation: We recommend that DHS ensure full compliance with GPRA by aligning all performance 
goals to its strategic objectives in the new Strategic Plan in FY 2009. 

IV-P Debt Collection Improvement Act of 1996 (DCIA) 

The DCIA of 1996 (DCIA) is intended to significantly enhance the Federal Government's ability to service 
and collect debts. Under the DCIA, the Treasury assumes a significant role for improving government-wide 
receivables management. The DCIA requires Federal agencies to refer eligible delinquent nontax debts 
over 180 days to U.S. Treasury for the purpose of collection by cross-servicing or the offset program. Our 
tests of compliance disclosed instances where DHS was not in compliance with certain provisions of the 
DCIA. Specifically, we noted that due process is not performed in a timely manner to ensure that some 
eligible debts are forwarded to the Treasury for cross-servicing or the offset program within the timeframes 
established by DCIA. 

Recommendation: We recommend that DHS develop policies and procedures to ensure full compliance 
with the DCIA in FY 2009. 

IV-Q Anti-Deficiency Act (ADA) 

DHS and Federal Law Enforcement Training Center (FLETC) management notified us of an Anti- 
deficiency Act violation that occurred at FLETC, where a capital lease dating back to FY 2001 was not 
fully funded. The DHS Secretary has reported the violation to the President of the United States, the 
President of the Senate, the Speaker of the House of Representatives, and the Comptroller General, as 
required by 31 U.S.C. Section 1351. 

In addition, various other management reviews and OIG investigations are on-going within the Department 
and its components that may identify ADA violations. The FLETC ADA violation described above relates 
to one building lease. FLETC has two other similar building leases that have been reviewed by the 
Department and determined to be operating leases and therefore a violation of ADA has not occurred. The 
OIG plans to initiate an independent review of the Department's decision to classify the two other FLETC 
buildings as operating leases. The OIGs review may identify additional ADA violations. The OIG has 
initiated a review, at FEMA management's request, of certain expenditures occurring in previous years that 
may have violated the Anti-deficiency Act. The Coast Guard management is reviewing a possible ADA 
violation related to use of funds to purchase assets that may identify a violation of the ADA. NPPD 
management is continuing their review, initiated in FY 2007, over the classification and use of certain 
funds that may identify an ADA violation. In addition, NPPD management has initiated a review of certain 
fees collected for attendance at a DHS-sponsored annual conference that may identify a violation of the 
Anti- deficiency Act. 

Recommendations: We recommend that FLETC continue to implement the remedial actions resulting from 
its internal investigation of this matter. We recommend that the Department, along with the OIG and the 
other components, complete the internal reviews currently planned or being performed, and properly report 
the results in compliance with the ADA if necessary. 
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Office of the Chief Financial Officer 
U.S. Department of Homeland Sccui 
Washington, DC 20528 



llllf Homeland 
IIP Security 



November 12, 2008 



MEMORANDUM FOR: 



Richard L. Skinner 
Inspector General 



FROM: 



David L. Norqui; 
Chief Financial ( 



Officer 



SUBJECT: 



Fiscal Year (FY) 2008 Financial Statement Audit 



Thank you for the opportunity to comment on the Independent Public Accountant's audit of our 
balance sheets as of September 30, 2008 and 2007, and the related statement of custodial 
activities. We agree with the Independent Public Accountant's conclusions. 

Although the report on internal controls and compliance indicates that DHS still faces serious 
financial management challenges, the auditor also acknowledges the significant progress made 
this year. Specifically, DHS reduced the number of audit qualifications from six to three, 
reduced material weaknesses from seven to six, and reduced the number of component 
conditions contributing to material weaknesses from 16 to 13. This progress was possible due to 
the efforts of many throughout the Department who worked to develop and implement 
meaningful corrective actions to strengthen financial management processes and internal 
controls. 

The FY 2008 audit results show that our corrective actions are working, and we are already 
updating our plans to address issues identified by the auditors and our own A- 123 assessment. 
Our plans will continue to focus both on sustaining progress, as well as supporting corrective 
actions in areas where weaknesses remain. This year, we have expanded our plans to include 
developing and implementing action plans to remediate areas identified as internal control 
significant deficiencies. 

Financial management at DHS has come a long way and I continue to be inspired by the 
dedication and extraordinary efforts of the Department's financial management community. I 
would also like to thank you for your efforts and the dedication shown by your staff and the 
Independent Public Accountant in working with the Department to improve financial 
management. I appreciate the partnership we have forged and I am confident that this 
partnership will allow DHS to continue to improve financial management in support of our 
important mission. 
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ADDITIONAL INFORMATION AND COPIES 

To obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4199, 
fax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig. 



OIG HOTLINE 

To report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal 
misconduct relative to department programs or operations: 

• Call our Hotline at 1-800-323-8603; 

• Fax the complaint directly to us at (202) 254-4292; 

• Email us at DHSOIGHOTLINE@dhs.gov; or 

• Write to us at: 

DHS Office of Inspector General/MAIL STOP 2600, 
Attention: Office of Investigations - Hotline, 
245 Murray Drive, SW, Building 410, 
Washington, DC 20528. 



The OIG seeks to protect the identity of each writer and caller. 



